FFIEC Supplemental Guidance to Authentication in an Internet Banking Environment. Robert Farmer Senior Technology Compliance Manager

Transcription

1 FFIEC Supplemental Guidance to Authentication in an Robert Farmer Senior Technology Compliance Manager

2 Effective Date The FFIEC Supplement to Authentication in an was issued on June 28, 2011 for the purpose of, 1) reinforcing the 2005 Guidance titled Authentication in an, and 2) providing an update to address current security threats within the Internet Banking environment by establishing expectations for institutions to implement additional controls for customer authentication, layered security, and consumer education and awareness. The FFIEC member agencies have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning January 1, This will provide institutions and their service providers with sufficient time to address the expectations as outlined in the new supplemental guidance. In summary, the supplement provides additional guidance for: Performing risk assessments continuously assess the threat environment, with focus on malware attacks, and maintain up-to-date controls as threats evolve, Implementing effective strategies for mitigating identified risks, including using different controls at various layers of the transaction to reduce risks of account takeovers and financial losses, and Raising customer awareness of potential risks, fraud prevention, and communicating to the financial institution about suspicious account activity. Risk Assessments Under the 2005 Guidance, institutions were directed to perform periodic Internet banking risk assessments and enhance their customer authentication controls as appropriate to address existing threats to customers Internet banking accounts. Under this guidance, institutions are expected to review and continually update their risk assessments: As new threats both internal and external are introduced, As new electronic banking services and customer functionality are implemented, or At least every 12 months. Additional factors should be considered in the updated risk assessments including 1) changes in the customer base adopting Internet banking, and 2) actual incidents of security breaches, identity theft, or fraud experienced by the institution or the industry. With the new guidance, the agencies are reiterating and stressing the expectation for financial institutions to perform periodic risk assessments at least annually FIS and/or its subsidiaries. All Rights Reserved. 2

3 Authentication for High-Risk Transactions High-risk transactions are defined as electronic transactions resulting in access to customer information or the movement of funds from customer accounts to other parties. The risk assessment should: Identify and risk-rate Internet banking activities and transactions, Assess the adequacy of existing controls, and As appropriate based on risk level, implement more robust mitigating controls. As not every Internet banking transaction has the same level of risk, the controls in place should be commensurate with the risk. In recent years, commercial Internet banking transactions tend to be higher risk, due to higher account balances, commercial type transactions, and larger transaction amounts. The new guidance suggests implementing layered security controls consistent with risk. For all commercial Internet banking customers, multi-factor authentication should be implemented. The new supplemental guidance includes an appendix titled Threat Landscape and Compensating Controls which discusses new threats such as keylogging malware, man-in-the middle, and man-in-the browser attacks, and identifies minimum control expectations which should be in place to provide the level of security that customers expect and that protect institutions from financial and reputation risk. Controls for mitigating these risks may be software tools that require interfacing with Internet banking systems or the institution s internal network infrastructure such as anti-malware software, transaction monitoring/anomaly detection software, out-of-band authentication and verification alerts, and USB devices providing session security. Layered Security Program Implementing various security controls at different points in a transaction process is layered security. Using this method, the strength of one control will generally compensate for the weakness in another control. The new guidance emphasizes the need for financial institutions to implement a layered approach to strengthen the security for high-risk Internet-based systems. Financial institutions will be expected to include the following two elements within their layered security program: 1) Detect and Respond to Suspicious Activity initial login/authentication and EFT transactions. Monitoring controls, both manual and automated, for detection and response to anomalous activity should be implemented to help prevent fraudulent high risk transactions such as ACH and wire transfers from being originated by unauthorized parties. Some examples of these types of controls are: Unusual login activity report Security alerts to end-users for password, , mobile phone number and security question/answer changes Large bill payment transaction report 2013 FIS and/or its subsidiaries. All Rights Reserved. 3

4 Bill payment new payee alerts to end-users ACH origination and customer summary reports Wire transfer summary reports Large transaction reports Large transaction alerts via or SMS text New payee alerts for ACH origination and wire transfers Transaction monitoring software for detecting unusual ACH transactions 2) Control of Administrative Functions for business customers, the layered security should include enhanced controls for system administrators to more effectively reduce fraud. Examples of detective and preventative controls are: Dual control for Cash Management administrator activity Mandatory dual control for ACH origination and wire transfer activity Administrator access restriction by IP address and time of day Out-of-band (e.g., via SMS, , phone call) authentication, verification, and alerts Transaction limits for high-risk transaction types Customer Awareness and Education Financial institutions are expected to increase their customer awareness and education efforts, providing advice to both retail and commercial account holders on security risks and recommendations on how to improve the security of their computers and browsers in order to mitigate vulnerabilities and attacks. Awareness and education efforts can be accomplished through security links on the institution s web site, branch lobby signs and brochures, customer educational seminars, and statement mailers. The agencies are requiring at a minimum, the financial institutions to implement the following elements for customer awareness and educational efforts: Disclosures providing explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, applicable to the types of accounts with Internet access; Explanation that the institution will not contact the customer on an unsolicited basis to request the customer s electronic banking credentials; Suggestion to commercial Internet banking customers to perform a related risk assessment and controls review periodically; A list of risk mitigation controls that customers should implement to reduce their exposure to fraudulent account activity, or a listing of available resources where information concerning these controls may be found; and, 2013 FIS and/or its subsidiaries. All Rights Reserved. 4

5 Contact information at the financial institution for customers to use in the event they notice suspicious account activity or experience customer information security-related events. Examples of controls that customers may consider implementing to mitigate the risks of account takeover and fraudulent account activities are as follows: Maintain up-to-date operating system security patches and virus/spyware protection software; Implement firewall and intrusion detection/prevention software or services; Safekeeping and confidentiality of Internet banking authentication credentials; Implement dual control for initiating and approving high risk Cash Management transactions such as ACH origination and wire transfers; Daily account activity monitoring via Internet banking account transaction history review; Refraining from opening unsolicited and attachments; and Refraining from providing authentication credentials to callers claiming to be representing the financial institution. Action Plan Conduct an updated Internet banking risk assessment Implement appropriate layered security controls Work with Internet Banking and Cash Management service providers to implement additional layered controls. Ensure customers are provided with enhanced security awareness and education Perform ongoing periodic risk assessments Contact us FIS Enterprise Governance, Risk and Compliance (EGRC) Solutions FIS and/or its subsidiaries. All Rights Reserved. 5