The Fraud Blog with Tracy Kitten

FFIEC: New Guidance, New Security Resource Center Dedicated to Pending Authentication Guidance

The Federal Financial Institutions Examination Council addressed some of those issues back in 2005, when it issued guidance about how banks should authenticate online banking users and transactions. But given the uptick in Automated Clearing House and wire-related fraud our industry has seen over the last two years, the FFIEC has been examining ways to enhance online authentication, and reinforce best practices many banking institutions have overlooked in recent years.

Let's take a look at news that made headlines this week: Court Favors EMI in Fraud Suit.

The judge found that Comerica's basic authentication practices, which relied on log-ins and passwords, did not truly comply with the FFIEC's call for layered security and multifactor authentication. 

Eighteen months after Michigan-based Experi-Metal Inc. sued its former commercial bank accountholder, Comerica Bank, a U.S. District Court in Michigan has favored the commercial customer. Now Comerica Bank must reimburse EMI more than $560,000 for the funds it lost after the bank approved fraudulent wire transfers that totaled more than $1.9 million.

In the ruling, the judge cites guidelines for online security outlined in the FFIEC's 2005 online authentication guidance, finding that Comerica's basic authentication practices, which relied on log-ins and passwords, did not truly comply with the FFIEC's call for layered security and multifactor authentication.

The case should serve as a wake-up for banks, especially those that have been lax in their implementation of multifactor practices.

The FFIEC is well aware of the gaps. Thus, regulators from the FFIEC's five member agencies -- the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision -- have drafted new guidance, which this time notes with more clarity the areas upon which banks must focus more fraud-prevention measures.

We don't have the final version of the new guidance yet, but we have an idea about what to expect, based on a preliminary draft that's been circulating since December.

According to that draft, the new guidance will call for five key areas of improvement:

  • Better risk assessments, to understand and respond to emerging malware, including man-in-the-middle or man-in-the-browser attacks as well as keyloggers;
  • More widespread use of multifactor authentication, especially for so-called "high-risk" transactions;
  • Improved device identification and protection, tying in layered security measures;
  • Stronger fraud detection and regular testing for detection effectiveness at the bank and customer levels; and
  • More customer education initiatives.

No one is really sure when the new guidance will be issued. It could be any day now, which is why we recently launched an FFIEC Authentication Guidance Resource Center dedicated to the FFIEC's expected changes.

The site aims to serve as a one-stop shop, providing in-depth information from industry experts and practitioners about pending online authentication guidance. We've also included other resources, such as a library of authentication updates from banking regulators and industry associations; our own fraud research; and archival content on subtopics, like device identification and risk assessment.

We think the FFIEC Authentication Guidance site will provide valuable information for U.S.-based institutions as well as international banks that operate in the U.S., as the compliance requirements outlined by the regulators will be applicable to all.

"The banking industry has never seen a greater need for new guidance on authentication, layered security and customer awareness," said Tom Field, editorial director of ISMG, earlier this week. "Already, we are seeing financial institutions amend their budgets and strategies to comply with the FFIEC's new recommendations. It's important, then, for all players in the industry - practitioners, vendors, analysts and even customers - to understand the full ramifications of this important new direction in online authentication."



About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network