The Federal Financial Institutions Examination Council (FFIEC) recently released the supplement to its “Authentication in an Internet Banking Environment” guidance, which the agency first issued in 2005.
Credit unions are now required to comply with the new requirements, and examinations with the new guidance are starting this month.
These updates of the FFIEC regulations specifically address customer authentication, layered security, and other controls in the growing online environment.
Below are five major questions about complying with FFIEC’s Internet banking authentication guidance that every credit union should address before implementing a solution.
1. What does ‘layered security’ actually mean?
“Layered security” refers to the arrangement of fraud tools in a sequential fashion.
A layered approach starts with the most simple, benign, and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.
2. What does ‘multi-factor authentication’ actually mean?
A simple example of multi-factor authentication is the use of a debit card at an ATM.
The plastic debit card is an item you must physically possess to withdraw cash, but the transaction also requires the personal identification number (PIN) to complete the transaction.
The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.
3. Who does this guidance affect, and does it affect each type of credit grantor/ lender differently?
The guidance pertains to all financial institutions in the U.S. that fall under FFIEC’s influence.
While the guidance specifically mentions authenticating in an online environment, it’s clear that the overall approach the agency advocates applies to authentication in any environment.
4. How will the regulation mitigate fraud risk in the short- and long-term?
The guidance is an important way to reinforce that:
- Fraud losses undermine faith in our financial system;
- Fraud tactics evolve constantly; and
- The tools that combat fraud tactics have to evolve as well.
The guidance provides a perspective on why it’s important to understand the risk and to respond accordingly.
5. How are organizations responding?
Experian estimates that less than half of the institutions affected by this guidance are prepared for the examinations.
Many of the fraud tools in the marketplace, particularly those used to authenticate individuals, were deployed as point-solutions.
Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, “layered” approach that the guidance is seeking.