FFIEC Guidance: How to Use Layered Security to Fight Fraud
Layered security is one of the core tenets of the new FFIEC Authentication Guidance - and it's perhaps the most effective strategy for detecting and preventing banking fraud schemes. But what are some of today's most mature approaches to layered security, and how are banking institutions employing them to detect and prevent fraud at the transaction level and beyond?
Join a distinguished panel of industry experts to learn:
- The types of layered security controls prescribed by the FFIEC, and what examiners will be looking for from institutions starting in January 2012;
- Tips from banking institutions that are already deploying layered controls such as knowledge-based authentication, device identification, behavioral monitoring, anomaly detection and cross-channel pattern analysis;
- Emerging technologies that will enable more efficient and effective ways to know their customers, improve fraud detection and create layered protection across all maintenance activities and customer devices.
See Also: Live Webinar | Why is the CISO Role the Most Difficult Job in the World?
To view the Q&A handbook from this webinar, please see FFIEC Guidance: How to Use Layered Security to Fight Fraud.
In response to heightened incidents of fraud against banking institutions and customers, the Federal Financial Institutions Examination Council has formally released the long-awaited supplement to its "Authentication in an Internet Banking Environment" guidance, which was first issued by the FFIEC in October 2005.
Among the most prominent topics in the new guidance is "layered security," which the FFIEC defines as "the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control." But layered security controls also are appropriate beyond the transaction, in all customer interactions, and institutions are encouraged to use these controls to know their customers' banking habits, protect customer information, prevent ID theft and reduce losses to cross-channel fraud schemes such as account takeover.
Starting in January 2012, banking regulators will examine institutions for conformance with this new guidance. Specifically, examiners will look for how institutions have:
- Improved their abilities to detect and respond to suspicious activity;
- Enhanced controls for system administrators of business accounts.
Among the layered security methods recommended by the FFIEC:
- Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
- Dual customer authorization through different access devices;
- Out-of-band verification for transactions;
- "Positive pay," debit blocks, and other techniques to appropriately limit the transactional use of the account;
- Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows [e.g., days and times];
- Internet protocol [IP] reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities;
- Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud;
- Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels; and
- Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.
In this exclusive session, Matthew Speare of M&T Bank will discuss how his institution has tackled the layered security strategy in all aspects of electronic banking. He then will lead a panel of industry experts in an open discussion about these different methods, as well as best-practices in fraud prediction and detection across all channels, and how to improve the analysis of suspicious behavior across all transactional channels.
You might also be interested in …