FFIEC Proposes Changes to Internet Banking Authentication

10/27/2011

If recommended changes go into effect, banks will soon be required to implement additional multifactor authentication controls. Once this happens, what will compliance look like and what may be required?

Here are some items that examiners may be looking for when evaluating your Internet Banking Authentication Program in 2012.

1. Additional layered security will be required of core banking applications. This additional technology may include the following items as summarized in this section:

• Enhanced customer education
• Enhanced control over changes to account maintenance activities performed by customers
• Policy & Procedures enhancement to address customers computing systems that may already be compromised prior to them performing online banking activities
• Blocking tools to restrict IP addresses from accessing banking servers
• Establishing controls over allowable payment windows (time & day restrictions), number of daily transactions, payment receipts, and transaction values
• The use of debit blocks to limit transaction amounts
• The use of out-of-bound technology for the validation of the transaction
• The use of access devices such as texts and emails
• Fraud detection and additional monitoring systems that consider customer history and behaviors

2. Risk Assessment Changes:

• Changes to the external and internal threat environment
• Changes in customer base that chooses to adopt electronic banking services
• Changes in the customer functionality offered through electronic banking
• Actual breeches, identity theft, and fraud must be addressed within the risk assessment

3. High Risk Transactions:

• The agencies believe that online transactions do not have the same risk levels. This classification has not changed since the expectations outlined in 2005.

4. Incident Response and Intrusion Prevention Changes:

• Financial institutions may be required to detect anomalies related to customer’s initial login and authentication.
• Financial institutions may be required to detect anomalies related to the initiation of electronic transfers to other parties.

5. Computer Administrator Oversight:

• System administrators may be required to authenticate to the online banking environment using techniques that surpass what the commercial customers use.
• Communication of system changes may require immediate notification of computer software or hardware changes to management.

6. Computer Identification Techniques:

• Banks may be required to enhance computer controls to implement one-time cookies
• Cookies may need to include the following information:
  • PC configuration
  • IP address
  • Geographical location of the computer
• Out-of-wallet challenge questions may be required. These are more complex questions and may include a “red herring” question that is designed to trick fraudsters.

7. Customer Education Programs:

• A hot line may be required if a customer needs to report fraudulent activity
• A listing of additional risk mitigation mechanisms that the customer may use to mitigate their own risks may need to be published online
• Commercial online banking customers may be required to perform their own risk assessment
• Controls to contact the customer to obtain online banking credentials
• Enhancement of Regulation E to outline an explanation of protections provided, and not provided, to account holders relative to electronic fund transfers

Over the next year we expect to see these 26 items scrutinized. During your next IT exam, insist that these controls are included in the scope of your assessment.