The Federal Financial Institutions Examination Council (“FFIEC”) has issued supplemental guidance (the “Supplemental Guidance”) regarding internet banking customer authentication, layered security, and other controls to address what the FFIEC notes as an increasingly hostile online environment. The Supplemental Guidance updates and reinforces the Authentication in an Internet Banking Environment guidance issued by the FFIEC in October 2005. Examiners from the FFIEC’s member agencies will begin to formally assess financial institutions under the Supplemental Guidance in January 2012.
The FFIEC noted that the continued growth of electronic banking and greater sophistication of the associated threats have increased risks for financial institutions and their customers. Such risks identified by the FFIEC include fraudulent methods to gain unauthorized access to customers’ online accounts and the development of complicated and automated attack tools. The FFIEC stated that effective security is essential for financial institutions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer information, and promote the legal enforceability of financial institutions’ electronic agreements and transactions. The Supplemental Guidance does not endorse any specific security technology.
The Supplemental Guidance stresses that financial institutions should perform periodic risk assessments and adjust their customer authentication controls as appropriate in response to new threats to customers’ online accounts. The Supplemental Guidance provides that financial institutions should implement more robust controls as the risk level of a transaction increases. Rather than relying on a single control for authorizing high risk transactions, the Supplemental Guidance states that financial institutions should implement a layered approach to security for high-risk internet-based systems. Layered security is defined by the Supplemental Guidance as the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. The Supplemental Guidance provides that such layered security programs should include, at a minimum, processes designed to detect anomalies and effectively respond to suspicious or anomalous activity and, for business accounts, enhanced controls for system administrators who are granted privileges to set up or change system configurations, such as setting access privileges and application configurations.
The Supplemental Guidance also discusses the effectiveness of certain authentication techniques. With respect to device identification, the Supplemental Guidance provides that financial institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique. The FFIEC notes that although no device authentication method can mitigate all threats, the member agencies of the FFIEC consider complex device identification to be more secure and preferable to simple device identification. The Supplemental Guidance also provides that financial institutions should use sophisticated challenge questions, which rely on information that is not publicly available, as an effective component of a layered security program. Additionally, the Supplemental Guidance sets forth minimum elements that should be part of a financial institution’s customer awareness and educational efforts.