FFIEC Releases Supplemental Guidance for Internet Banking Security

It’s been 24 hours since the FFIEC released their Supplement to the Authentication in an Internet Banking Environment guidance issued in October 2005 and it has been interesting to watch the industry’s reaction to this much-anticipated update.  Some think it is a positive step, some think it is not specific enough in defining responsibilities for banks, and some think it is outright lacking in certain areas.
And while all of these points have some element of truth to them, it is important not to overlook that at its heart and most importantly the guidance acknowledges that today’s threats are too sophisticated for yesterday’s controls.  Authentication alone is no longer effective for protecting online accounts and transactions and financial institutions now have new expectations for risk assessments and layered security strategies.
The supplement reinforces the need for a layered security approach, and explicitly states that the agencies expect (not suggest or encourage, but expect) that an institution’s layered security program will contain two elements at a minimum: 1) the ability to detect and respond to suspicious activity, and 2) improved control of administrative functions. It defines the first element as processes designed to detect and effectively respond to suspicious or anomalous activity related to initial log-in and electronic transaction requests. That is, check for suspicious activity from log-in to log-out.
There is a reason detecting anomalies and suspicious activity is first – it works across all customers and across the widest array of threats.  The Guidance even states, “transaction monitoring and anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.”
Our company was founded on the idea that the best way to prevent online and mobile banking fraud is to do precisely this – look for anomalous activity at the individual account holder level that is indicative of account takeover, account reconnaissance, and fraudulent transactions. More than 50 financial institutions who we have the privilege of calling customers know this, too, and have day in and day out seen the benefits of proactively stopping criminals in their tracks, before money leaves their institutions.  And now its expected of all institutions.  We think this is a positive step forward and that banks, credit unions, and their account holders will benefit.
There has been a perception perpetuated in the industry that fraud monitoring is difficult to implement and complex to operationalize.  This is just wrong. Our online and mobile banking fraud prevention solution, FraudMAP, is rapidly deployed and customers can be up and running in just a few days with little to no support required from IT. To learn more about how FraudMAP can help you to meet the first, and most important expectation expressed in the Guidance Supplement, visit our website.