FFIEC Authentication Guidance: Enhancing Controls
Risk-Based Controls and Monitoring Fraud-Prone Transactions"We face a broad threat ... and each consumer has to understand that their part in protecting both their own finances and the financial infrastructure, together, is a very large part," says Harper, vice president of technical services at Pentagon FCU.
Financial institutions should continually review their risk-management processes, one of the recommendations highlighted in the updated online authentication guidance issued by the Federal Financial Institutions Examination Council. But institutions also must bring their customers and members into the fray, getting their participation to aid in fighting fraud.
"FFIEC guidance provides a toolset that gives the consumers the ability to react in this area," Harper says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Fraud on the Internet is quickly becoming a severe problem, and it's an area that requires constant attention, both from institutions and business customers. Pentagon FCU sees the online channel as its main banking channel, and therefore puts great emphasis on ensuring online security.
"The fraud and criminal enterprise on the Internet is one of the seminal societal problems that this generation and future generations must tackle, and it's going to define how financial institutions and society, overall, are going to work in the future," Harper says.
During this interview, Harper discusses:
- Why credit unions should view compliance with new FFIEC guidelines as a way to enhance online security for consumer and business accounts;
- Why regular reviews of risk assessments and risk management programs are so critical; and
- Steps all banking institutions should take to enhance and build controls that are based on the unique and independent risks associated with specific transaction sets.
Harper is the vice president of technical services and acting chief information officer at Pentagon Federal Credit Union, where he manages the Technical Services group and provides infrastructure support and security for all aspects of PenFed's systems. He holds a bachelor's degree and a master's degree in computer science from James Madison University.
TRACY KITTEN: Before we get started, can you give our audience a little background about your institution, such as asset size, geographic footprint and member base?
IAN HARPER: Pentagon Federal Credit Union serves over one million members primarily in the Armed Forces, civilian agencies and defense-related companies, and members supporting the United States Military in general. Our membership is located worldwide and we support them primarily through our online channel and also through our telephone services and branch locations within the United States and overseas. We manage about $15 billion of assets.
KITTEN: About how many members did you say that you have?
HARPER: We have over one million members.
FFIEC Priorities for Credit Unions
KITTEN: When we look at the new FFIEC guidance, complying with the guidance is the priority for institutions that have commercial customers. But what about Pentagon FCU and other credit unions whose primary memberships basically comprise consumers, not commercial clients? What priorities do you see when it comes to ensuring that you're complying with the new FFIEC guidelines?HARPER: The FFIEC guidance has components that apply specifically to commercial institutions and basically reducing the incidents of fraud. One of the key areas of the guidance is to enhance authentication, which gives us the ability to provide online banking authentication and security in a manner that helps focus on keeping up with the threats within cyberspace. It's no secret that criminals, criminal organizations and state actors are involved, using the Internet to further their various aims. In particular fraud has exploded on the Internet and this fraud costs consumers in a very direct and a very major way. As a low-cost high-value provider, PenFed consistently is looking at how we can fight fraud and make sure that we're providing the protection necessary to drive that value to reduce losses which then drives the member value.
As for the priorities of the FFIEC regulation, it's clear from the regulations that financial institutions must continue to develop the risk management process beyond where we fit today, including both technical and procedure methods that are to secure the systems and to protect the consumer's interest. Secondly, financial institutions must focus their controls based on the risk of fraud within the transaction. It's not good enough now to have the consumer log on and assume that that single log on will protect the consumer from fraud. The banking application must consistently be on the lookout for any suspicious activity and make security decisions during that session to make sure that the consumer's security is protected. Thirdly, the bank's electronic banking controls need to integrate into a layered security program outside of just the electronic banking and the technology components, but also into the overall fraud and protection mechanism that the financial institution maintains. Then finally the program has to incorporate consumer information that allows the consumer to play an integral part in securing their own information. The prioritization for PenFed has always been to identify and integrate the most effective capabilities and to provide the strongest security we possibly can on the banking platform and the FFIEC regulations don't really change that for us. Rather we look at it as a mild post that helps us to keep our bearings on our commitment to the membership and protecting their information and their finances.
KITTEN: How is PenFed currently addressing risk assessment? How are you insuring that you're fulfilling these proverbial security gaps now and into the future?
HARPER: We actually consistently assess risk with all of our systems, whether it's electronic banking, core financial systems or mortgage origination and delivery systems. As part of the assessment, we have internal staff that's dedicated to assessing and managing the security of all the systems that we have. Security is one of the top priorities of management and the mitigation of vulnerabilities is a regularly discussed topic at the top level of our management.
KITTEN: It sounds like risk assessment basically is going to continue. The emergence of this new guidance hasn't really changed the way the credit union focuses on risk assessments, is that right?
HARPER: Absolutely. It gives me one straw to give weight to the argument that we do need to continue that risk assessment process and that it needs to be involved from top down within the credit union. Again we are already doing that. This is just one more voice in the chorus to keep us on that path.
Fraud Prevention Challenges
KITTEN: What unique security and/or fraud prevention challenges do you see facing credit unions that might not necessarily be issues banks deal with?HARPER: I'm not sure I see a wide difference between the banks and the credit unions. Primarily when we're dealing with consumer finances, the risks are going to generally be the same. In some cases though, because credit unions oftentimes are smaller on average than the typical commercial banks, many times they do not have the financial capability to implement many of the controls that the large organizations can do. But you're also going to see that variance between the larger and smaller credit unions.
Our membership many times faces pressures that many other consumer groups may not. Many of our memberships are forward deployed to the front line and we believe that they should really have to worry about the security of their finances. We take special care to try to make sure that we are looking out for their financial security on the home front while they look out for their national security. But on the whole I don't know that there is a significant difference between the banks and the credit unions in this regard.
KITTEN: When it comes to layered security - and you've touched on this a little bit - I'd like to get some specific information about what PenFed is doing and maybe you can shed some light on what other institutions should be doing to follow your lead. When it comes to online security and user authentication, how are these falling into a layered security approach?
HARPER: We have a layered approach and this approach has been in place and built on for about 20 years. We consistently are looking at ways to upgrade that. We worked heavily to try to make sure that we've got controls on the front-end of the platforms where the consumer is interfacing with the financial institution. We've got a multi-step process in that area to try to identify potential suspicious activities. We use very sophisticated systems that look for potential fraudulent activity and look for anomalies within the session, both from a technical standpoint but also from a transaction standpoint, to try to identify where we might be seeing fraud. Those systems are actually updated both with what our fraud group identifies as potential fraudulent activities and the activities that confirmed fraud has taken place, so that we can start to identify when we see those patterns of activity we can identify more early in the process that we may have a fraudulent transaction.
From the back-end system process, we're constantly looking for activities that are happening, whether it's originating from our electronic banking or our other systems. Then we also use some services outside of the credit union, looking for potential fraudulent activity. These services go and look at some of the Internet chat rooms that the fraudsters are using and try to identify where we already have compromised information. With some of these keystrokes, logging and Trojan horse applications we're actually employing a fraud service that goes out and hunts for any of those credentials that may have been compromised for PenFed members and we, in many cases, are the first ones to notify the consumer.
Awareness and Education
KITTEN: That's such a good point there that you make because oftentimes we found that it's the consumer that actually notifies the financial institution of fraud and that's obviously not anything that helps to enhance the confidence that consumers have in the financial relationship. I'm wondering if you could talk a little bit about member education and maybe acceptance of some of these heightened online security measures. It's a fine line between enhanced security and then impeding member convenience. How do you balance the two?HARPER: Absolutely and balance is the term that I was going to use. Balancing the need for security, and the ability for a consumer to carry out those transactions that they intend to carry out, is really the struggle that we live with every day. But it's a good struggle. It's one where we're constantly re-evaluating and trying to determine what controls we can put in place but it also gives us the framework for building better controls. There are a couple of different places that are part of this effort. The first piece is the identification of technologies that are applicable to what we're trying to accomplish, hence the application of those technologies in a way that will allow the member to use that component effectively. And there is no shortage of technologies out there that claim to be able to solve the problem. The issue really is: are the consumers ready to implement those capabilities? When you look at the FFIEC guidance, that guidance helps us to establish that baseline because the FFIEC, the NCUA and the other regulatory institutions that are asking banks to implement these controls are setting the basic bare minimum that consumers will have to live with. Meaning that the consumers are going to see these new technologies come into place, these new ways of providing security, and so as they see this more and more it becomes more and more acceptable.
KITTEN: I wanted to ask a little bit about out-of-band authentication. Leaning on the mobile channel for text messaging, or another way to just enhance the authentication of online transactions, is there any interest on PenFed's side to use the mobile channel in this way?
HARPER: Absolutely. We've actually had a program in place and we're continuing to move forward with that. We are updating our online presence here in the last quarter of this year and as part of that you will see an out-of-band mechanism in place. Exactly which messaging functions we'll use is going to be primarily dependent on the membership and the membership requirements. Using out-of-band, for instance text messages, to mobile platforms is a way of accomplishing that. One of the issues that we run into with our membership is that not all of our memberships have mobile phones, so we're looking into some other capabilities, for instance integrated voice-response systems that allow us to provide that verbally to the membership. But absolutely you're going to see with PenFed a fully integrated out-of-band authentication mechanism and that's going to be ramping up here at the end of the year and we're going to continue moving forward and integrating that overall.
Emerging Threats
KITTEN: You've talked a little bit about emerging threats and I'd like to go ahead and expand on that conversation a bit in the context of risk assessments. What types of threats are you focusing on? And when we talk about threats what types of threats are you looking at on the online channel and the mobile channel?HARPER: Looking at the sophistication of the attacks now, the actual specific attacks today are very little different than those attacks that we typically need to deal with. The threat actors, while they have emerged, how they do the attacks that they perform is a little bit different. The actual actors and the motivations behind these attacks, generally speaking, are relatively the same. But the sophistication of these attacks is growing at an exponential pace. Where before you had a very small cadre of sophisticated attackers, now we have criminal organizations being stood up, directly focusing on Internet and electronic banking, both from the perspective of trying to take advantage of consumer credentials and also trying to take advantage of weaknesses within the financial institution environment. They are now becoming so sophisticated that they have organized groups that are specifically targeted for specific types of financial institutions, specific technologies within financial institutions and specific functions within the fraud enterprise.
KITTEN: Then when it comes to looking at some of these emerging threats, or these ongoing threats as you have noted, how are your fraud and security teams aligned? How are they working together and what steps are you taking to ensure that you are addressing these issues in tandem now and in the future?
HARPER: We actually work as an integrated team, and the financial fraud area and the IT security area really are extensions of the other. The electronic banking security, as well as all of the security within our various systems, is now a major component of how fraudsters are attempting to attack the credit union.
KITTEN: Before we close, what final thoughts about online security and compliance with the new FFIEC guidance generally would you like to leave our audience with?
HARPER: I think one of the primary areas that I'd like to speak to is the fact that regulations and standards similar to the FFIEC guidance are really only one aspect of the issue. We face a broad threat against the board and each consumer has to understand that their part in protecting both their own finances and the financial infrastructure together is a very large part. FFIEC guidance provides a toolset that gives the consumers the ability to react in this area. The fraud and the criminal enterprise on the Internet is one of the seminal societal problems that this generation and future generations must tackle and it's going to define how financial institutions and society overall are going to work in the future.