Memento provides next-generation technology and solutions that enable financial institutions to rethink and improve the way they combat fraud and manage compliance. Memento customers realize unmatched business value and rapid ROI.

Home > Forums > Bank Fraud Forum > Insights and Opinions > FFIEC Guidance for Online Authentication Evolves

RECENT NEWS

View All

Insider Threats: Great and Growing

 Employee_Fraud_podcast_image        

Institutions don't want to admit to internal corruption. Hear a subject-matter expert speak on this insidious problem.

Listen to Podcast

bank fraud forum
< Back to listing

FFIEC Guidance for Online Authentication Evolves

July 13, 2011 by Shirley Inscoe
0 comment(s)

As you probably have heard by now, the FFIEC has issued new Guidance for authenticating online customers, and we should expect these guidelines to take effect in January 2012. That doesn’t leave a lot of time for financial institutions to get themselves ‘in compliance’.

The new guidelines are an enhancement to those originally issued in 2005. As one banker said to me, “These guidelines aren’t revolutionary like the original ones, they are evolutionary”. As the FFIEC points out, the internet is far more risky today than it was in 2005, and criminals are much more effective at compromising accounts despite existing bank controls. The FFIEC strongly encourages banks to perform periodic risk assessments and enhance their current controls due to this new environment.

In 2005, the FFIEC encouraged banks to focus on the authentication of customers at the time they logged in to online banking. Since every method of authentication can be compromised, as we have observed, the new guidelines are recommending that banks expand their efforts to a system of layered security – in other words, protecting all external channels as well as the core banking systems. The idea behind layered security is similar to that of a bank vault – the more layers you have, the harder it is to break through. Each new layer would help shore up weaknesses in any single layer, which would assist in preventing the fraudsters from getting through all the bank’s defenses.

In the Guidance, the FFIEC lists seven specific items that may be used as an institution creates its system of layered security, but it is quick to point out that this is not a definitive list.  I’ve chosen 3 points from the list and explain why I believe they are so important:

- Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response.

By really understanding the customer's actual behaviors over a period of time, the bank really gets to know its customers ("KYC") and can detect unusual activity. Transaction monitoring (monetary and non-monetary) really enables a bank to observe the compliance requirements and prevent fraud. Unusual behavior and anomalies can be detected and addressed quickly. Detecting fraud when it is too late to prevent a monetary loss is not very helpful, so timing is also extremely important.

- Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times).

The FFIEC recognizes that not every online transaction carries the same level of risk, and it’s fine to have various thresholds based on the level of risk associated with various transactions. Looking for unusual activity (new payee, atypical day of week, etc.) relates right back to monitoring transactions and comparing them to historical behavior so you can readily identify potential fraud.

- Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels.

This is a great recommendation. If your bank is like many others I've talked to, you have experienced instances when fraudulent transactions were successfully detected in time to prevent them, but the fraud still occurred because the fraudster had changed the email address or telephone number on the account. So when the ‘customer’ was notified about the alert, it actually was the fraudster who authorized the transaction instead. Fraudsters plan ahead and perform account maintenance in order to ensure the real customer is not notified.

If you haven’t done so already, I encourage you to read all of the FFIEC recommendations. And once you perform your risk assessment, think about which of the recommendations would add the most value to your fraud prevention and compliance efforts. Most banks have limited budgets, so one approach you could take would be to implement some of these security layers for specific account categories or payment systems (such as ACH or Wire). Additionally, as a best practice, try to work with a solution provider that can help you solve multiple fraud prevention and compliance problems.

Good luck with your preparations for 2012. The year is half gone already, so it is definitely time to get serious about this new Guidance!

 

Posted in: ACH and Wire Fraud
Tags: FFIEClayered securityfraud detectionfraud preventionACH fraudWire fraudauthentication

Make a Comment

* = Required
*
*
*
*
 
Solutions Overview
Technology
Approach
Forums
About Memento
WE CAN ALSO BE FOUND:
  • facebook
  • linkedin
  • twitter

©2012 Memento, Inc. All rights reserved.
55 Network Drive Burlington, MA 01803
1-877-371-0673 |

Privacy/ Usage Agreement | Contact Us | Sitemap