The Federal Financial Institutions Examination Council (FFIEC) recently released new guidance to address online fraud intended to promote continued security in electronic banking and address increased risk from sophisticated threats facing financial institutions and their customers.
The guidance was inadvertently released by one of the regulatory bodies at the beginning of the year, before its formal adoption by the FFIEC. The final release on June 28, 2011, however, was fundamentally the same and covered more specific areas of supervisory expectations than the previous guidance:
- The guidance stresses that financial institutions should continue to be responsible for risk assessment prior to implementing new electronic financial services.
- Customer authentication should be implemented based upon risk level identified by the financial institution.
- Financial institutions should consider a layered security approach with two required elements:
- Ability to detect and respond to suspicious activity
- Enhanced control for system administrators
- Customer awareness and education should address both retail and commercial account holders and be tailored to different risk profiles.
Many smaller financial institutions rely significantly on their core processors and other vendors to assist with the technical aspects of authentication and risk mitigation. One specific area organizations should look at is small- to medium-sized commercial clients, which have higher balances and significantly higher transaction volumes than retail customers, making fraud and theft easier to hide. Client acceptance processes for merchant capture and Automated Clearing House/wire commercial customers should be reviewed and enhanced to reflect the higher inherent risks.
A number of similar frauds have recently been reported in the press:
- A merchant had the ability to initiate wire transfers using an account set up with the bank with a user name and password.
- Because of its small size, the merchant didn’t use the bank’s dual control authorization mechanisms.
- The merchant was hacked, and a key logger was used to obtain the user name and password.
- The hacker logged in and initiated the wire transfer, completing the fraud.
The new guidance could have helped mitigate, and perhaps prevent, these types of fraud.
Financial institutions should conduct the risk assessments outlined in the new guidance and review their customer awareness and education programs as a first step toward compliance. We believe most financial institutions will find high-risk areas can first be addressed through customer awareness and education. In the aforementioned frauds, the merchants’ own IT security procedures contributed significantly to the risk and, ultimately, the fraud. By balancing customer awareness with the need to provide sophisticated services and products, financial institutions can achieve enhanced security.
For more information on this new guidance, contact your BKD advisor.