Memento provides next-generation technology and solutions that enable financial institutions to rethink and improve the way they combat fraud and manage compliance. Memento customers realize unmatched business value and rapid ROI.

Home > Forums > Bank Fraud Forum > Insights and Opinions > FFIEC Guidance 2011 – Where Do We Start?

RECENT NEWS

View All

Stay One Step Ahead of Fraud

Memento_Overview_Brochure_img

Learn more about Memento and our next generation approach to fraud management.

Download the Solution Overview 

bank fraud forum
< Back to listing

FFIEC Guidance 2011 – Where Do We Start?

September 28, 2011 by Paul McCormack
0 comment(s)

The FFIEC recently supplemented its 2005 Guidance in response to what it calls an “increasingly hostile online environment”. Regardless of the size of institution, if it provides banking products online, it is a target. On almost a weekly basis, we hear of a new online fraud case that caught one or more banks unprepared. The guidance is timely, but it stops short of providing a “step-by-step” approach. Here’s what I believe financial institutions can do in light of the guidance:

1) Revisit the risk assessment
Not surprisingly, risk assessments are hated by most bankers and viewed as a useless exercise. I have personally spent countless hours locked in a conference room attempting to document all the types of fraud that might happen. Unfortunately, risk assessments are a necessary part of fraud prevention. Moreover the supplement to the 2005 Guidance stresses the importance of keeping the risk assessment current. Here is a suggestion. To avoid producing a risk assessment that is stale and fails to help the bank improve its fraud defenses, consider engaging a third party to help. In the end, a risk assessment should document where risk “lives” and what risk is left over after countermeasures have been deployed. A third party can help reenergize the process and produce much more insightful and informative analysis.

2) Analyze historical trends
Before additional funding can be secured and changes can be made as a result of the Guidance supplement, executives must understand the risk that banks now face in their online channels. To justify future investment, collate online transaction volumes for the last 5 years. If possible, include fraud attempts and losses by product, by year. Whether additional investment is needed in light of the FFIEC guidelines or not, tracking online fraud by product, by year is crucial to ensuring that your bank is able to respond to increases in fraud losses year over year.

3) Assess the effectiveness of your security measures
As this blog shows, the inherent risk associated with commercial accounts is far greater than retail. The Guidance supplement recognizes that much more risk resides within commercial accounts than retail. The Experi-Metal case that we discussed on this blog clearly shows how much damage fraud can be inflicted – both financially and from a PR perspective. Layered security by definition should comprise of multiple tactics that when implemented in sequence, or simultaneously ensure that only legitimate transactions are authorized. So how do you assess the effectiveness of your bank’s layered online security?

  • Convene a cross divisional team to assess the adequacy of layered security – Members of the team should include both operations as well as client facing functions. Online security must always balance the need for security while not making it too difficult for customers to complete a transaction. In order to test the effectiveness of your bank’s existing security, analyze fraud within other banks. Also, consider contacting Memento for assistance. Fraud solution providers are often overlooked as a source of fraud intelligence. They shouldn’t be. Not only are they often aware of fraud at other banks, they regularly hire bank fraud subject matter experts to help market their products. 
  • Analyze the effectiveness of device identification & challenge questions – Can you “break” the process? If you can envision how to break it, so too can the fraudster. In fact, consider what happens when, despite your bank’s best efforts, authentication / validation fails? How effective is your bank’s ability to flag a fraudulent transaction if it makes it past your first line of defense? I have yet to read of an online authentication tool that cannot be hacked. If the Pentagon can be hacked, so too can your bank. The technology exists; it is just a question of whether fraudsters can get their hands on it. Regardless of how many authentication and online security tools your bank has in place, a layered security program should also include a solution for backend (i.e., cross-channel payment oriented) detection/fraud management.
  • Assess customer education program – create a scorecard to capture the program’s effectiveness. It is not good enough to say it exists; you must be able to judge how effective it has been to date, as well as document the steps that you will take in the future to ensure that the program will continue to be effective over time.

This list is just a start, and hopefully provides ideas to help your bank make use of the FFIEC Supplement to the 2005 Guidance. After all, it is "guidance". Compliance is not mandatory per se. Guidance is only of value when you invest the time to make it so.

 

Posted in: Account Takeover Identity Theft Deposit Account Fraud Collusive Networks ACH and Wire Fraud
Tags: FFIEClayered securityaccount takeover

Make a Comment

* = Required
*
*
*
*
 
Solutions Overview
Technology
Approach
Forums
About Memento
WE CAN ALSO BE FOUND:
  • facebook
  • linkedin
  • twitter

©2012 Memento, Inc. All rights reserved.
55 Network Drive Burlington, MA 01803
1-877-371-0673 |

Privacy/ Usage Agreement | Contact Us | Sitemap