In October 2005 the Federal Financial Institutions Examination Council (FFIEC) issued updated information security guidance for financial institutions offering internet-based financial products and services. The 2005 Guidance discussed the need for financial institutions to (1) utilize effective and well considered risk assessments in order to carefully evaluate the risk to an institution’s data in light of the nature and scope of the data services offered online; and (2) employ customer awareness and education as an effective means of reducing or eliminating risks associated with online banking.
However, the primary focus of the 2005 Guidance was the establishment of guidance to aid financial institutions in evaluation and selection of appropriate methods of customer authentication. The 2005 Guidance, which was entitled “Authentication in an Internet Banking Environment,” described “enhanced authentication methods” which regulated financial institutions were expected to fully implement by December 31, 2006.
The 2005 Guidance stressed the difference between single-factor and multi-factor authentication, two common methods which can be used by financial institutions to verify the identity of customers utilizing their online services. While neither eschewing single factor authentication nor mandating multi-factor authentication, FFIEC noted that single-factor authentication “may not provide sufficient protection for internet based financial services”. More specifically, FFIEC stated that it considered “single-factor authentication, when used as the only control mechanism, to be inadequate for high risk transactions involving access to customer information or the movement of funds to other parties.”
Much has changed since 2005. Today the banking industry has seen a significant increase in the use of online banking services as well as a significant increase in the sophistication and frequency of cyberattacks aimed at financial institutions and their online customers. Many of these attacks have been “successful,” resulting in the unauthorized transfer of significant amounts of customer and bank funds. There has been a significant increased in the number of lawsuits brought against affected banks alleging negligence or other misfesance on the part of the bank. Notably, a district court judge recently found a bank negligent after a trial.
In order to respond to these changed circumstances and to apply what it has learned from many of these attacks, in June 2011 FFIEC issued a “Supplement” to its 2005 Guidance which reiterates and stresses the importance of diligent application of many of the security principles enunciated in 2005 Guidance and this time makes some more specific recommendation for the implementation of these principles.
For example, FFIEC strongly suggests that periodic risk assessments be conducted at least every twelve months. It recommends that covered institutions offer multi-factor authorizations to their business and commercial customers. FFIEC also strongly suggests that customer awareness programs incorporate certain identified minimal elements, such as:
- An explanation of the protections provided, or not provided, to account holders relative to electronic funds transfers under Regulation E
- An explanation of when and how an institution may contact a customer, on an unsolicited basis, and request the customer’s provision of electronic banking credentials
- A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;
However, the focus of the June 2011 Supplement is on what FFIEC terms a “layered” security approach. This approach eschews any single security factor , such as the use of single or multi-factor authentication, for an approach strongly emphasizing multiple security methods and controls. In other words authentication (whether single or multiple factor) plus other measures. Examples of other “layered” security measures include:
- fraud detection and monitoring systems that which consideration of customer history and behavior and enable a timely and effective institution response;
- the use of dual customer authorization through different access devices;
- the use of out-of-band verification for transactions;
- the use of “positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of an account;
Most importantly, FFIEC essentially now requires that all financial institutional security programs at a minimum must have the following two specific security controls. First, a means or method to detect and respond to anomalous activity related to the initial login and authentication function; and to functions involving the transfer of funds to third parties. Second, a layered security program must include enhanced controls and procedures for those system administrators (presumably both financial institution employees as well as customers and their representatives) who have system privileges which allow them to set up or change account access configurations.
In the June 2011 Supplement, FFIEC also discusses two specific authentication methods which had been implemented by financial institutions in response to the 2005 Guidance: device authentication and the use of challenge questions.
Historically, many financial institutions have used simple device authentication, generally involving placement of a simple “cookie” on the computer or other device used to access an account. FFIEC found that these simple device identification methods are easily defeated or circumvented by todays more sophisticated cyber-criminals. FFIEC now considers “complex device identification (such as the use of “one time” cookies) to be more secure and preferable to simple identification.” As a result FFIEC asserts that “institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique.”
Similarly, FFIEC discussed and determined that the use of simple challenge questions (such as for example a mother’s maiden name or high school graduation date) to be too easily discovered in today’s information environment, and as such should no longer be considered as an effective method of authentication verification. However, FFIEC finds that the use of more sophisticated, likely non- publicly available challenge questions (how many dogs have you owned since high school?) can be much more effective, particularly when a number of questions, taken from a large pool of available questions is employed for each authentication attempt.
The June 2011 Supplement is an important document that every financial institution regulated by the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision should read, study and understand. Drawing on solid security principles embodied in other federal statutes and regulations, as well as experience gained in the five plus years since promulgation of the 2005 Guidance document, FFIEC provides financial institutions with specific guidance, and in some cases expresses directives for measures that financial institutions should employ in order to significantly reduce the risks associated with ever increasing online banking transactions. A very significant side benefit is the fact that when a security incident occurs, faithful adherence to FFIEC’s Guidance will constitute a very important defense against legal actions seeking to hold financial institutions liable.