As of January 1, 2012, your regulators will be assessing your financial institution’s Internet Banking practices at a higher standard. The FFIEC Supplement to Authentication in an Internet Banking Environment (issued on June 28, 2011), an update to the 2005 guidance Authentication in an Internet Banking Environment, will be taking effect to address current security threats within the Internet banking environment. The supplement establishes five basic steps financial institutions must take to stay compliant:  perform enhanced risk assessments, implement additional customer authentication controls for high-risk transactions, introduce controls to mitigate new threats, apply a layered security program, and increase consumer education and awareness efforts.

1.    Enhanced Risk Assessments

Where the 2005 guidance directed financial institutions to perform periodic Internet banking risk assessments, the new guidance directs financial institutions to review and continually update these risk assessments when: new threats (both internally or externally) are introduced, new electronic banking capabilities or customer functionalities are implemented, or at least every 12 months. Other factors to be considered include changes in the customer base adopting Internet banking, and actual incidents experienced by the institution or the industry of “triggering events” such as security breaches, identity theft, or fraud.

Without any of the triggering events, the agencies are emphasizing the expectation that financial institutions perform periodic risk assessments on their Internet banking environment at least annually.

2.    Additional Authentication for High-Risk Transactions

Electronic transactions resulting in access to customer information or the movement of funds from customer accounts to other parties are considered high-risk transactions. To account for these, the risk  assessments discussed above need to include identification and risk-rating of Internet banking activities and transactions, evaluate the adequacy and effectiveness of any existing controls, and address, as appropriate and based on risk level, the implementation of mitigating controls.

As not every Internet banking transaction has the same level of risk, the controls in place should be commensurate with risk. In recent years, commercial Internet banking transactions have tended to be higher risk, based on the higher account balances and higher typical commercial transaction amounts. To manage this, the new guidance suggests implementing layered security controls (discussed below) consistent with risk, and for all commercial Internet banking customers, multi-factor authentication should be implemented.

3.    Introduce Controls to Mitigate New Threats

The new supplemental guidance includes an appendix titled Threat Landscape and Compensating Controls which discusses new threats such as keylogging malware, man-in-the middle, and man-in-the browser attacks. The appendix identifies minimum control expectations that should be in place to provide the level of security that customers expect, and that protects institutions from financial and reputational risk. Controls for mitigating these risks may be software tools that require interfacing with Internet banking systems, or the institution’s internal network infrastructure, such as: anti-malware software, transaction monitoring/anomaly detection software, “out-of-band” authentication and verification alerts, and USB devices providing session security.

4.    Apply a Layered Security Program

Implementing various security controls at different points in a transaction process is known as “layered” security. Using this method, the strength of one control will generally compensate for any weakness in another. The new guidance emphasizes the need for financial institutions to implement a layered approach to strengthen the security for high-risk Internet-based systems. The layered security program will need the ability to detect and respond to suspicious activity, and to provide increased controls over administrative functions.

5.    Increase Customer Education and Awareness

Finally, the updated guideline expects financial institutions to increase their customer education and awareness efforts by providing advice and recommendations to both retail and commercial account holders on security risks, and how to improve the security of their computers and browsers to mitigate vulnerabilities and attacks. These efforts can be accomplished through various channels, including: security links on the institution’s web site, branch lobby signs and brochures, customer educational seminars, and statement mailers.

The agencies are requiring at a minimum that the financial institutions afford account holders with disclosure explanations of protections provided, and not provided, relative to electronic funds transfers under Regulation E (applicable to the types of accounts with Internet access). Furthermore, the institution needs to provide assurance that they will not contact the customer on an unsolicited basis to request the customer’s electronic banking credentials, and they need to advise commercial Internet banking customers to perform a related risk assessment and controls review periodically. Finally, the institution needs to provide a list of risk mitigation controls that customers should implement to reduce their exposure to fraudulent account activity, or a listing of available resources where information concerning these controls may be found, as well as contact information at the financial institution to report suspicious account activity or other customer information security-related events.

Some examples of controls the customers may consider implementing to mitigate the risks of account takeover and fraudulent account activities include:

·         Maintain up-to-date operating system security patches and virus/spyware protection software

·         Implement firewall and intrusion detection/prevention software or services on their home computers

·         Safekeeping and confidentiality of Internet banking authentication credentials

·         Implement dual control for initiating and approving high risk Cash Management transactions such as ACH origination and wire transfers

·         Account activity monitoring via Internet banking account transaction history review, refraining from opening unsolicited email and attachments, and from providing authentication credentials to callers claiming to be representing the financial institution.

Author: Jan W. Koster serves as Director, Information Technology Audit for ICS Risk Advisors.