Ensure FFIEC Compliance with Risk-Based Authentication

Agency wants CUs to implement a system of layered security.

October 6, 2011

The Federal Financial Institutions Examination Council (FFIEC) recently released a supplement [pdf] to its “Authentication in an Internet Banking Environment” guidance, originally published in 2005.

Within this update are “specific supervisory expectations” related to an overall “general supervisory expectation” that institutes a “system of layered security.”

The specific expectations include, but aren’t limited to, conducting risk assessments at least every 12 months, customer authentication for high-risk transactions, and layered security programs.

Conceptually, this supplemental guidance reinforces the need for credit unions seeking to remain compliant with these expectations to take a risk-based approach to consumer authentication, at both the application and account management phases of the customer life cycle.

Subscribe to Credit Union MagazineUnderstanding risk-based authentication

Risk-based authentication is a holistic assessment of the consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time.

Generally, risk-based authentication is approached in one of two manners. The risk assessment can be based on:

1. The type of products or services potentially being accessed and/or used (e.g., line of credit) by a customer; or
2. The customer's authentication profile (e.g., ability to verify identifying information).

Both approaches have merit, yet a true best practice is to merge both into a process that looks at each customer and transaction as unique and, therefore, worthy of uniquely defined treatment.

Risk-based authentication can deliver efficiency and proportionality in process and transactional cost, performance lift over traditional binary rule sets and policies, preservation of the customer experience, evolutionary adoption of emerging technologies and data assets, and flexibility and interoperability with core platforms and third-party service providers.

How to use risk-based authentication

A robust risk-based approach to authentication should encompass four main elements:

  1. Broad-reaching and accurately reported data sources
  2. Targeted analytics based on data assets
  3. Detailed summary-level customer authentication results
  4. Flexibly defined decisioning strategies that incorporate scores, risk conditions, and compliance requirements.

With the implementation of a well-designed program, much of the decisioning can be done without human intervention. Use of score-driven policies allows institutions to use automated authentication processes for most of its applicants or account management cases. This translates into fewer human resources, which usually means less cost.

Conversely, employees can more appropriately focus on the applications or transactions that warrant manual attention and treatment.

It’s also critical to understand past and current performance of risk-based authentication policies to allow for the adjustment over time of such policies. For example, these adjustments can be made based on evolving fraud risks, resource constraints, approval rate pressures or demands, and compliance requirements.

Predictive value and scoring

The overarching “business driver” in adopting a risk-based authentication strategy founded in analytics and proven scores is the predictive “lift” associated with using scoring in place of a more binary rule set.

While basic identity element verification checks—such as name, address, Social Security number, date of birth, and phone number—are important identity proofing treatments, when viewed in isolation they aren’t nearly as effective in predicting actual fraud risk.

In other words, the presence of positive verification across multiple identity elements alone doesn’t provide sufficient predictive value in determining fraud risk. Positive verification of identity elements may be achieved in customer access requests that are, in fact, fraudulent.

Conversely, negative identity element verification results may be associated with both “true,” or “good,” customers as well as fraudulent ones. In other words, these false-positive and false-negative conditions lead to a lack of predictive value and confidence, as well as inefficient and unnecessary referral volumes.

In summary, a risk-based fraud detection and authentication system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity-related fraud.

To implement efficient and appropriate risk-based authentication procedures, institutions must combine comprehensive and broadly categorized data assets (both within their own walls and sourced from third-party service providers) with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results.

The inherent value lies in the ability to strike such a balance not only in a current operational environment, but also as that environment shifts in response to underlying forces.

KEIR BREITENFELD is a senior director of product management and marketing for Experian’s Decision Analytics business unit.