Categorized | Featured


FFIEC Authentication Guidance

The Federal Financial Institutions Examination Council (FFIEC) recently released new guidance to address online fraud intended to promote continued security in electronic banking and address increased risk from sophisticated threats facing financial institutions and their customers.

The guidance was inadvertently released by one of the regulatory bodies at the beginning of the year, before its formal adoption by the FFIEC. The final release on June 28, 2011, however, was fundamentally the same and covered more specific areas of supervisory expectations than the previous guidance:

  • The guidance stresses that financial institutions should continue to be responsible for risk assessment prior to implementing new electronic financial services.
  • Customer authentication should be implemented based upon risk level identified by the financial institution.
  • Financial institutions should consider a layered security approach with two required elements:
    • Ability to detect and respond to suspicious activity
    • Enhanced control for system administrators
  • Customer awareness and education should address both retail and commercial account holders and be tailored to different risk profiles.

Many smaller financial institutions rely significantly on their core processors and other vendors to assist with the technical aspects of authentication and risk mitigation. One specific area organizations should look at is small- to medium-sized commercial clients, which have higher balances and significantly higher transaction volumes than retail customers, making fraud and theft easier to hide. Client acceptance processes for merchant capture and Automated Clearing House/wire commercial customers should be reviewed and enhanced to reflect the higher inherent risks.

A number of similar frauds have recently been reported in the press:

  • A merchant had the ability to initiate wire transfers using an account set up with the bank with a user name and password.
  • Because of its small size, the merchant didn’t use the bank’s dual control authorization mechanisms.
  • The merchant was hacked, and a key logger was used to obtain the user name and password.
  • The hacker logged in and initiated the wire transfer, completing the fraud.

The new guidance could have helped mitigate, and perhaps prevent, these types of fraud.

Financial institutions should conduct the risk assessments outlined in the new guidance and review their customer awareness and education programs as a first step toward compliance. We believe most financial institutions will find high-risk areas can first be addressed through customer awareness and education. In the aforementioned frauds, the merchants’ own IT security procedures contributed significantly to the risk and, ultimately, the fraud. By balancing customer awareness with the need to provide sophisticated services and products, financial institutions can achieve enhanced security.

For more information on this new guidance, contact your BKD advisor.

This post was written by:

Ron has more than 25 years of experience helping companies with information technology, government cost, budgeting and financial accounting issues. His primary focus is delivering internal audit information technology and security services to financial institutions.

Leave a Reply

What are hot topics facing financial services?

Stay Connected

Follow us on Twitter
Follow Us on Twitter

Want updates about regulatory, tax, compliance and other issues?

Follow us on Google+
Follow Us on Google+

For the latest Financial Services industry insights and webinars, follow us.

Subscribe to Google Currents
Subscribe to Google Currents

Browse, read and share BKD’s latest financial reform insights quickly and conveniently from your smartphone or tablet.

Watch us on YouTube
Watch Us On YouTube

Watch us on YouTube, where you can see what makes BKD stand out from the rest.

BKD RSS feeds
Subscribe Via RSS

Subscribe via RSS to stay up-to-date on the latest BKD news and information.


Error: Twitter did not respond. Please wait a few minutes and refresh this page.

Recent Comment