Are All High-Risk Transactions Created Equal?

Transcription

1 Are All High-Risk Transactions Created Equal? How to Minimize FFIEC Exam Pain 1 Lee Wetherington, AAP Director of Strategic Insight

2 Agenda New Supplement to FFIEC Guidance Key Points; Intelligent Layering High-Risk Transactions Letter vs. Spirit of the Law The Truth about Santa & Remote Deposit Fraud Risk From the Horse s Mouth (Regulators/Examiners) The Bottom Line on High-Risk and Compliance What to Do Next Payments Risk Assessment; Rating Transaction Type Risk Tying Risk Ratings to Proper Controls/Layers 2 January 27, 2012

3 Supplement to FFIEC Guidance 3

4 FFIEC Guidance Documents August 2001 Authentication in an Internet Banking Environment October 2005 Auth. in an Internet Banking Environment Update January 2009 Risk Management of Remote Deposit Capture June 2011 Supplement to Auth. in Internet Banking Environment 4

5 5 Key Points Banks must: Perform periodic risk assessments Educate customers about fraud Implement layered security systems (intelligently) Mitigate fraud risks related to high risk transactions High risk transactions: Carry non-public personal information or move funds Risk and remote deposit capture Technically, remote deposit items are high risk transactions Examiners see RD as less risky than ACH credits and wires Your response must be based on your assessment!

6 High-Risk Transactions

7 electronic transactions involving access to customer information or the movement of funds to other parties. 7

8 Can you think of an electronic transaction that doesn t involve access to customer information or the movement of funds to other parties? 8

9 High-Risk Defined electronic transactions involving access to customer information or the movement of funds to other parties. More customers are conducting online transactions Not every online transaction poses same level of risk Banks should implement more robust controls as the risk level of the transaction increases

10 High-Risk vs. Higher-Risk electronic transactions involving access to customer information or the movement of funds to other parties. All on-line transactions defined as high-risk, but some higher than others Should NOT be based solely on retail vs. business Reg E apply? Retail transactions carry higher risk of loss to the bank (regulatory) Commercial accounts not covered, but still carry greater risk financial loss (legal) Focus on frequency and dollar amounts

11 The Truth About RDC Fraud Risk 11 January 27, 2012

12 The Truth about Remote Deposit Risk While over 13% of checks are remotely deposited, RDC items comprise only.01% of check fraud reported to FinCen between 2005 and There were no real differences in the various fraud and money laundering schemes perpetrated through the RDC check deposit channel when compared with the check deposits completed through more traditional means. Overall, RDC-related filings have been minimal, and they comprise a miniscule portion of all checkrelated bank SARs. 12

13 A Framework for Layered Security 13

14 14 Layered Security According to the guidance, layered security is: Multiple fraud prevention measures Placed at different points in the transaction process Deployed in a manner so that weaknesses in one measure will be compensated for by other measures To understand layered security, must understand how three components interact: The transaction process Threat categories Security measures

15 The Transaction Process These steps are required to create/process transactions: 1. A user logs in 2. The user submits/authorizes one or more transactions 3. The financial institution reviews and processes the transactions The FFIEC also includes administration activities, like setting up users and configuring the system Together, these steps make up the transaction process These steps are the layers on which your security measures will be deployed 15

16 Threat Categories Account Takeover Fraud committed by external users who gain access to the system with credentials stolen via phishing, malware, social engineering, etc. Trusted Entity Theft Fraud committed by legitimate users (FI employees, merchants, merchant employees, consumers) who go bad Session Manipulation Fraud committed by users or programs that hijack legitimate user sessions and/or modify session data Includes Man-in-the-Middle (MIM) and Man-in-the-Browser (MIB) attacks 16

17 Threats: Man-in-the-Middle (MITM) Normally, user connects via Internet to online site In MITM, fraudsters set up as a proxy in order to: Steal credentials for use in future account takeover Hijack user s session to create their own parallel session Manipulate transaction data sent in the legitimate session 17

18 Threats: Man-in-the-Browser (MITB) During a Man-in-the-Browser (MITB) attack, malware installed in the user s browser may: Steal credentials and deliver them to the fraudster for later use in account takeover attacks Capture data that allows launch of parallel session Manipulate RT/Account Number data during the session Malware 18

19 Why Are MITM & MITB So Dangerous? MITM and MITB can defeat: One Time Password Tokens Browser Cookie Picture or Text on Website IP Geo-location Device Fingerprinting Phone or Out-of-Band Authentication Virtual Keyboard Knowledge-Based Authentication

20 Threats and the Transaction Process Each type of threat attacks one or more points in the transaction process Your risk assessment should identify how threats attack the process used by each type of transaction This will dictate how security should be deployed Account Takeover Trusted Entity Theft Session Manipulation 20

21 Security Measures MFA: Adaptive Authentication/Tokens IP Address Whitelisting Day/Time Controls Security Alerts New Recipient Validation Merchant Velocity/ Daily Amount Limits User Permissions and Limits Dual Control Duplicate Detection Keying/Balancing Transaction Monitoring with Anomaly Detection History/Reporting Transaction Review Payments Dashboard Processing Alerts 21

22 Example: ACH Account Takeover Transaction Type: ACH MFA: Adaptive Authentication/Tokens Environment Protection IP Address Whitelisting Day/Time Controls New Recipient Validation Merchant Velocity/ Daily Amount Limits User Permissions and Limits Dual Control Processing Alerts Transaction Monitoring with Anomaly Detection History/Reporting Transaction Review Payments Dashboard 22 Account Takeover

23 Example: Trusted Entity Theft Transaction Type: Remote Deposit Merchant Velocity/ Daily Amount Limits Duplicate Detection Dual Control Transaction Monitoring with Anomaly Detection History/Reporting Transaction Review Payments Dashboard Keying/Balancing Processing Alerts 23 Trusted Entity Theft

24 A Layered Security Ex.: Session Manipulation Transaction Type: ACH Environment Protection IP Address Whitelisting New Recipient Validation Merchant Velocity/ Daily Amount Limits User Permissions and Limits Dual Control Processing Alerts (ACH Client) Transaction Monitoring with Anomaly Detection History/Reporting (Merchant Portal) Transaction Review (ACH Client) SmartSight (Merchant Portal) 24 Session Manipulation

25 Layered Security: Administrative Transaction Monitoring with Anomaly Detection MFA: Tokens Dual Control Security Alerts 25 Account Takeover Trusted Entity Theft Session Manipulation

26 A Framework for Layered Security Using this approach, banks can demonstrate how their security measures combat each type of fraud for each type of transaction 26

27 From the Horse s Mouth 27

28

29 29 Examiner Ex Cathedra (What He Said) RDC transactions are not as high risk as ACH/Wires. Bank s payments risk assessment and customer education are key to rigor of exam. Examiners will key off the assessment (even if the assessment is wrong and classifies all transactions as equally high risk. Banks can make case that certain low-volume ACH/Wire customers could be considered moderate risk if transaction limits/ceilings in place and those ceilings are commensurate with the FI s risk tolerance (size of bank, capital strength, liquidity, assets, etc.). For small banks with very limited numbers of payments customers, examiner recommends low-tech authentication on high-risk transactions, e.g., call backs, fax confirmations, even text message confirmations.

30 Examiner Ex Cathedra, cont d To simplify, instead of separate risk assessments for FFIEC, IT, GLBA, RDC, banks should (1) Combine their IT/GLBA assessment into one, and (2) combine RDC, ACH, Wires, and any other payment services into one enterprise-wide payments risk assessment that designates each payment type s risk (high, moderate, low) and justifies the FIs risk tolerance across all (a risk tolerance that should be explicitly approved by the FI s Board). Examiners will not discriminate against one anomaly detection solution over another. If, however, bank experiences fraud in which the anomaly detection in place was circumvented or comprised, the examiner will ask for details and ultimately question the efficacy of that solution going forward. 30

31 Demonstrate that You re Minding the Store 31

32 The Risk Management Process 1. Risk Identification - Identify assets to be protected, or source of risk. To properly identify risks, a bank must recognize and understand existing risks or risks that may arise from new business initiatives. Risk identification should be a continuing process. 2. Risk Assessment - Identify threats and vulnerabilities to assets, evaluate the threat impact, & prioritize. Inherent Risk 3. Risk Management - Apply controls designed to: Avoid/Eliminate Reduce Transfer Retain (acceptable or residual risk) 4. Test, train, re-evaluate

33 Inherent vs. Residual Risk Inherent risk prior to the application of controls Subjective based on objective criteria Must be determined before controls applied Residual Risk after application of controls Acceptable risk Also subjective Should be low, but may actually be high for high-risk customers

34 Risk Sources: Product Capability Basic Account Access Bill Payment Intrabank Transfers Interbank Transfers ACH Origination Wire Transfer Mobile Access Remote Deposit Capture

35 Risk Controls Anomaly Detection and Response (manual or automated) o Volume, Time-of-Day and Dollar Amount Thresholds Dual Authorization / Dual Control Multi-factor Authentication Out-of-Band Verification Positive-Pay, Debit Blocks (white lists) IP Blocks (black lists) Enhanced customer account maintenance controls Manual FI Transaction Approval Customer Education On-site Assessments

36 Demonstrate that You Aren t Complacent (Things Change) 36

37 Evolution of Risk: Remote Deposit Right now, most banks rely on client risk management (eligibility) Difficult to qualify for RDC Pay little attention to deposits once onboarded Mainstreaming RDC will require different approach Easier to qualify for RDC Use deposit monitoring tools to control risk 37

38 Evolution of Remote Deposit Risk, cont d 38

39 The Payments Risk Assessment Jack Henry & Associates, Inc. All Rights Reserved.

40 Right-sizing Risk SOURCE: Gladiator Technology, a ProfitStars Solution For more info: contact Jackie Marshall at (678) ; Or jackie@gladtech.net;

41 Right-sizing Risk, cont d SOURCE: Gladiator Technology, a ProfitStars Solution For more info: contact Jackie Marshall at (678) ; Or jackie@gladtech.net;

42 Right-sizing Risk, cont d

43 Commercial OLB Risk Assessment Likelihood of Occurrence Potential Damage Inherent Risk Residual Risk How likely is this threat to occur (without appropriate security controls in place)? Medium If the threat resulted in a security breach what kind of damage would result? Loss of funds Identity Theft Likelihood of occurrence X Potential Damage Medium Remaining Riskacceptable or unacceptable (unmanaged risk). Explain detail in mitigation strategy. Acceptable Internet Based Financial Transaction Types ACH Transfers, Wire Transfers, Mobile Banking, Remote Deposit Capture Reasonably Foreseeable Internal and External Threats and Vulnerabilities to the Information Asset Cyber criminal attacks such as phishing, social engineering, interception of transaction data, stolen data, resulting in corporate account takeover and identity theft SOURCE: Gladiator Technology, a ProfitStars Solution For more info: contact Jackie Marshall at (678) ; Or jackie@gladtech.net;

44 Commercial OLB Risk Assessment, cont d Controls in place to (P)revent and (D)etect Fraud (P) Business employees educated on use of application(s), IT security standards and best practices, common fraud schemes and procedures for contacting the FI in case of suspected security incident (P) Segregation of Duties; separate approval process; dual control utilizing two separate PCs. (P) (D) Real-time anti-virus and anti-spyware, desktop firewall, malware detection and removal software w/automatic updates and scheduled scans (P) PC not used to surf the web or (P) Procedures for logging off and leaving online banking PC unattended or not in use (P) Spam filters in place and updated (P) Mgr to understand responsibilities and liabilities per account agreement (D) Monitor and reconcile accounts daily (D) Discuss the options offered by the FI to detect or prevent out-of-pattern activity (D) Note any changes in PC performance (D) Pay attention to warnings (D) Be on the alert for rogue s (P) Scanned checks (RDC) retained for 14 days in locked cabinet and then destroyed by cross-cut shredding. Testing Methods, Frequency and Control Issues FI will conduct periodic analysis of the fraud controls via self-assessment or onsite visit Recommendations/Strategy to Mitigate Residual Risk Ex. (P) Dedicated PC utilized for online banking services (not utilized for web browsing, s and social networking SOURCE: Gladiator Technology, a ProfitStars Solution For more info: contact Jackie Marshall at (678) ; Or jackie@gladtech.net;

45 Risk Assessments When? Changes in the internal and external threat environment, or Changes in the customer base adopting electronic banking, or Changes in the customer functionality offered through electronic banking, or Actual incidents of security breaches, identity theft, or fraud experienced by the bank or industry, or At least annually

46

47 Lee Wetherington, AAP