This summer the Federal Financial Institutions Examination Council (FFIEC) agencies issued a supplement to their 2005 guidance (“Authentication in an Internet Banking Environment”). The FFIEC consists of NCUA and the federal banking agencies.
NCUA expects federally insured credit unions to adapt appropriate strategies and controls (or safeguards) outlined in this supplemental guidance to strengthen their authentication systems by January 2012.
Authentication is the process of verifying a member’s identity using methodologies and technologies before the member gains access to an online banking website. It’s a way to ensure members are who they say they are before accessing their personal financial information.
Why the new guidance? Times have changed. The authentication methods recommended six years ago have become less effective against the more sophisticated approaches fraudsters use.
So it’s time for credit unions to take a look at their member authentication systems to see what changes need to be made in light of these evolving threats.
The 2005 guidance moved institutions away from single-factor authentication (e.g., user name and password only), to multifactor authentication (e.g., user name with password and PIN, or password and challenge question), layered security, and other controls. The 2011 guidance takes this further, highlighting key precautions institutions should take if they offer electronic services.
Beginning in 2012, NCUAexaminers will evaluate these controls at credit unions offering electronic services:
1. Risk assessments. Credit unions should review and update their existing risk assessments as new information becomes available, before implementing new electronic financial services, or at least every 12 months. Updated risk assessments should consider, but not be limited to, the following factors:
2. Member authentication for “high-risk” transactions. “High-risk transactions” are electronic transactions involving access to member information or the movement of funds to other parties (e.g., automated clearinghouse [ACH], wire transfer). Not every online transaction poses the same level of risk. So, credit unions should implement more robust controls as the risk level of the transaction increases. For example, business accounts may impose a higher level of risk than consumer accounts because of the higher dollar amount and frequency of transactions. It’s why FFIEC agencies recommend layered security and multifactor authentication for business accounts.
3. Layered security programs. Layered security means the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. The guidance directs credit unions to implement a layered approach to security for high-risk Internet-based systems. Effective controls that may be included in a layered security program include, but aren’t limited to:
Layered security programs also must detect and respond to suspicious activity related to initial log-in and authentication of members requesting access to the credit union’s online banking system; and initiation of electronic transactions involving the transfer of funds to other parties (e.g., via ACH or wire transfer). The agencies noted that transaction monitoring often could have prevented numerous fraudulent transactions from occurring.
For online access to business accounts, layered security should include enhanced controls for system administrators who are granted privileges to set up or change system configurations. According to the agencies, enhanced control over administrative access and functions can effectively reduce money transfer fraud.
Next: Authentication techniques