This page summarizes the Guidance Supplement issued in June 2011, and describes how Guardian Analytics FraudMAP® Online - a behavioral analytics solution that identifies suspicious online activity to prevent fraud - can enable financial institutions to meet key new regulatory expectations.
Also within this section, we've provided Resources that will help financial institutions understand their risks and learn about solutions available to help them achieve FFIEC compliance, and Industry Dialog that offers a summary of and links to helpful articles and commentary from across the industry on the updated guidance.
On June 28, 2011 the FFIEC released the supplement to its 2005 Authentication in an Internet Banking Environment guidance to establish updated supervisory expectations regarding authentication, layered security and more.
Background. The Supplement noted several factors that led to this update. Fraud threats have increased, including more sophisticated, effective, and malicious methods to compromise authentication mechanisms. Organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls, using more sophisticated techniques such as Man-In-the-Browser. And complex attack tools (e.g. Banking Trojans) are more widely available and used.
Current Controls are Ineffective. The result, using the Agencies' words, is that virtually every form of authentication can be compromised by today's threats and therefore is no longer effective for protecting online accounts and transactions. The Supplement goes further to comment on how device ID (cookies, IP address, geo-location), can also be "proxied," making them ineffective as a fraud defense, and that challenge questions can no longer be considered an effective risk mitigation technique (see pg 2 of the Supplement).
Updated Expectations. Unlike the 2005 Guidance, this Supplement is more specific and clear in setting expectations for what regulators will be looking for starting January 2012. The Supplement has four broad topics that financial institutions must now consider:
Our company was founded on the idea that the best way to prevent online and mobile banking fraud is to do precisely what the FFIEC is prescribing - look for anomalous activity that is indicative of account takeover and fraud based on normal patterns of individual behavior. Somewhere between login and logout a criminal will do something unexpected or abnormal, at which point the institution can intervene and stop the attack before the money is gone.
The Guidance Supplement reinforces this when it adds, "transaction monitoring and anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer's established patterns of behavior."
But what does it mean to "detect anomalous activity"?
(click to enlarge)
Anomaly detection monitors online banking behavior looking for suspicious activity that doesn't match previously established patterns. To learn more see our white paper, A Practical Guide to Anomaly Detection.
To detect anomalous activity, FraudMAP Online uses behavioral analytics to monitor the online behavior of the individual account holder. FraudMAP Online evaluates all online activities during every online session for behavioral anomalies as compared to what is expected for each account holder based on their online banking history. Rather than solely looking for specific malware, fraud indicators or fraud patterns, all of which are changing rapidly, behavioral analytics determines if exhibited behavior is expected and legitimate, or suspicious. With this approach, FraudMAP Online can detect the widest array of new and emerging fraud attacks. (See graphic for how anomaly detection works to detect fraud.)
FraudMAP Online is a proven, cost-effective, easy-to-use solution for preventing online and mobile banking fraud. It's in use by more institutions than any other behavior-based solution. And because it's SaaS, it's easy and inexpensive to deploy.
Here's the Supplement issued in June 2011 to the FFIEC's Authentication in an Internet Banking Environment guidance. Be sure to see page 5 that describes the agencies' minimum expectations, including anomaly detection as part of a layered security strategy.
This study highlights financial institutions efforts to conform with the Guidance and that they do not have a firm understanding of the FFIEC's minimum expectations for layered security.