FFIEC Guidance on Online Security
Requires Banks to Take Action
Recent regulatory guidance calls for banks to be more proactive in promoting online banking fraud prevention through security technology and expanded communications with their commercial clients.
Security concerns continue to keep many corporate clients from banking online. As a result, last June the Federal Financial Institutions Examination Council (FFIEC) issued a supplement to its 2005 online security guidelines, Authentication in an Internet Banking Environment.
The supplement reinforces the risk management framework described in the original guidance. It suggests that banks encourage their business clients to increase their use of fraud prevention technology such as customer authentication, layered security and other controls in what the agency says is becoming an "increasingly hostile online environment."
The guidance supplement suggests that FFIEC member agencies work closely with banks to promote security in electronic banking. Specifically, the supplement urges financial institutions to:
- Enhance security measures in order to better address growing risks
- Raise awareness among corporate clients regarding security threats they face and the steps they can take to make themselves less vulnerable to fraud
- Make corporate clients more aware of the controls their bank has in place to thwart increasingly sophisticated cyber attacks
The guidelines aim to assist banks in thwarting potential security breaches and minimizing the reputational risk they face arising from cyber crime. Following the guidelines will enable a bank to reassure its clients that the bank "has their back" when they participate in online banking.
Why is this so important?
One of the reasons that experts say online banking hasn't found universal acceptance is security fears. These fears have emerged due to highly publicized security failures and phishing attacks at some major banks.
In general, corporate America isn't aware of all of the substantive fraud prevention measures that banks have implemented to prevent further attacks. As a result, banks have some work to do in order to persuade their clients that banking with them online is safe and smart.
The FFIEC guidance aims to help banks reassure clients by instituting a layered security program and communicating with clients about online banking fraud prevention.
Layered security guidelines
The guidance suggests some effective controls that can support a bank's layered security program. Among them are:
- Fraud detection and monitoring systems that take into account customer history and behavior and enable a timely and effective institution response
- Dual customer authorization using multiple access devices
- Techniques such as debit blocks that limit the transactional use of the account
- Enhanced controls over account activities, such as transaction value thresholds, authorized payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times)
- Tools that block access to banking servers from IP addresses known or suspected to be associated with fraudulent activities
- Policies and practices for dealing with compromised client devices and for dealing with customers who may be facilitating fraud
Customer education and awareness guidelines
As part of its customer awareness and education campaign, the FFIEC urges financial institutions to:
- Explain fraud protections built into electronic funds transfers as well as into other types of client accounts accessible via the Internet
- Explain to commercial clients when and how they might be contacted by the bank to request their electronic banking credentials
- Encourage commercial online banking customers to periodically assess both their risk of fraud and the effectiveness of their fraud prevention controls
- Provide a list of risk control mechanisms that clients may consider to reduce their own fraud risk, or provide a listing of available resources where such information can be found
- Supply a list of persons in the bank to contact in the event a client suspects fraudulent account activity or experiences what is believed to be a phishing attempt by online fraudsters
- Review and update their risk assessment at least once a year, whenever new information becomes available, or prior to implementing new electronic financial services
An important requirement of the new FFIEC guidance is that financial institutions notify their clients whenever they enhance or otherwise revise their online risk prevention efforts.
Need communications assistance to comply?
The FFIEC requires that all financial institutions develop security systems that better protect themselves and their corporate clients against the risk of online banking fraud. The guidance put forth by the FFIEC further mandates that financial institutions educate their clients about the risks of doing business online and that banks suggest strategies and develop products and services which mitigate that risk.
As a content provider that specializes in serving wholesale bankers' client communication needs, FPS is well positioned to help you develop the kinds of communications that will enable you to comply with the recent FFIEC mandate. For more information on how FPS can help, contact Vince DiPaolo ([email protected] or 847-501-4120 x3).
. . .
FPS regularly works with financial services companies to maximize the impact of their client communications, including e-mail and online communications. To find out how we can help you develop effective strategies for communicating with corporate financial executives, contact FPS President Vince DiPaolo at 847-501-4120 x3 or [email protected].
If you are not already a MarketScope subscriber, please request your own free monthly edition.