FFIEC: What's Reasonable Security?
Layered Security Controls Are Key InvestmentsMany institutions seem to forget that the updated FFIEC Authentication Guidance calls for layered security controls first, and multifactor authentication second.
Cyber and information security expert Joseph Burton, an attorney who focuses on emerging financial fraud trends, says most banks and credit unions, as they implement strategies to conform to the updated guidance, are spending far too much time on authentication and not nearly enough on layered security?
Without multiple strong layers of security, institutions will never mitigate risks long-term.
"What people took away from the guidance was a focus on authentication, and less of a recognition and focus on the concept of layered security, of which authentication is only one part," says Burton in an interview with BankInfoSecurity's Tracy Kitten (transcript below).
Burton says many institutions have invested far less in other security layers, such as fraud detection and out-of-band verification, also explicitly noted in the guidance.
"There has been a focus on this notion of authentication and the focus on the correct technology to use to authenticate, and less of a focus on, perhaps, some of the other layers of protection that can be used," he says.
Citing recent legal disputes between banks and commercial customers over ACH fraud, Burton says it seems fraud detection and monitoring have been afterthoughts at most mid-tier and community banks.
"If there's any lesson to be learned from the cases and from the FFIEC, it's that layered security is the key and that the FFIEC really sees layered security being the key for both commercial and for retail-level transactions," he says.
During this interview, Burton discusses:
- What conformance with the FFIEC guidance should mean for technology investments institutions make in the areas of authentication and fraud detection;
- Why layered security controls, which include customer and member education, should be part of a "reasonable" security strategy;
- The increasing role contracts between financial institutions and commercial and retail customers will play when legal disputes over fraud liability arise.
Burton is the managing partner of Duane Morris' San Francisco office, where he concentrates on complex civil, criminal and appellate litigation. He is nationally recognized in the emerging field of Information Security Law and advises and represents individuals and corporations regarding their rights and responsibilities in maintaining the security of digital information. His practice includes trade secret, trademark and patent litigation with an emphasis in cybercrime and cybersecurity matters.
Burton is a former Assistant U.S. Attorney and Chief of the Silicon Valley Office for the Northern District of California, where he handled several pioneering high technology investigations and prosecutions, including the first prosecution in the nation for criminal copyright infringement of computer code.
ACH Legal Environment
TRACY KITTEN: You speak with banking institutions and businesses about the increasing prevalence of online security flaws that commonly lead to ACH and wire fraud. Can you give a brief overview of the current legal liability environment banking institutions and businesses face when ACH and wire fraud occur?
JOE BURTON: With ACH and wire fraud right now, banks are looking at a situation where there's almost a presumption of liability unless they take certain steps to prevent that. They are in a lot of ways now by including provisions in their contract, which tend to limit their liability. On the other hand, there have been a spade of cases recently where individuals have tried to sue their banks when there have been unauthorized transactions. So this is a developing area and it's developing right now in the area of commercial transactions, but there's still plenty of room for development in cases in the area where individual consumers are involved.
Legal Obligations to Protect Customers
KITTEN: What legal obligation do banks and credit unions have to protect their customers and members on the retail and commercial sides?
BURTON: In some ways it's simple. Banks on the commercial side - in that context - have an obligation to provide commercially reasonable authentication procedures, and similarly they have an obligation to act in good faith with respect to the procedures they employ to accept transfer authorization. Those are the two pillars if you will and both are in fact based on a notion of acting reasonably and both come out of some recent cases that occurred last year.
ACH Court Cases: Lessons Learned
KITTEN: What lessons should we have learned from last year's significant court decisions on ACH and wire fraud?
BURTON: Well there were two cases last year that came out. They were in the summer of 2011. One of those cases is a case that's called Experi-Metal v. Comerica Bank. It's a federal court case that came out of the Eastern District of Michigan. It was a district court-level case. The other case that came out last year about the same time - I think it was decided finally in about August of last year - was a case called PATCO Construction v. Peoples United Bank. Both of those cases are really the two leading cases in this area and interestingly enough, they came out on opposite sides of the issue to a certain degree.
Both of those cases were cases which involved a situation in which the bad guys were able to take over the authorization for a commercial user and trick the bank into releasing funds. In both of those cases, it appeared that the bad guys were able to do it by invading the commercial user's computer as opposed to some sort of attack on the bank system. In the PATCO case, the court looked at the question of the commercial reasonableness under the Uniform Commercial Code, the UCC. The court looked at the commercial reasonableness of the procedures used by the bank to authenticate requests for the transfer of funds. In that case, the court found that the procedures used by the bank in that case were commercially reasonable, and there was a large dispute over whether or not they were because the bank was using what was contended by them and questioned by the plaintiff to be single-factor authentication. The bank argued that it was multi-factor. The plaintiff argued that it was single-factor. The court determined that it was multi-factor, determined that it was commercially reasonable and that ended the case. They found in favor of the bank.
On the other case, the Experi-Metal case was a case in which the issue of the commercial reasonableness of the authentication procedure was decided at an early stage. It was not the deciding factor in the case like it was in PATCO. In Experi-Metal, the court determined that the plaintiff - the commercial user in the contract with the bank - had agreed that the authentication procedures that were used were commercially reasonable. That was in essence an acknowledgement or admission and the court didn't have to decide that question. However, the court went on to consider under the UCC another provision which provides that the acceptance of the order has to be done in a manner of good faith. It has to be accepted in a way that involves reasonable standards of fair dealing, and the court in that case determined that the bank failed to demonstrate that it had followed reasonable standards of fair dealing. Those two cases are the leading cases right now and they really sort of delineate where the law is, and that's in the commercial area. There are a few cases with respect to how the law might apply in a non-commercial situation.
KITTEN: And what about other cases? Do we expect any other cases to result in court decisions soon?
BURTON: Most of the other cases were decided on other grounds or were settled. And subsequent to PATCO and the Experi-Metal case, there have been a few other cases but none of them look like they're going to be keyed up for really any sort of definitive rulings by the court. So right now PATCO and Experimental are the cases that we have to go on and rely on.
Authentication and Fraud Detection
KITTEN: When we talk about ACH fraud and commercial breaches, the updated authentication guidance that was issued by the FFIEC addresses both commercial and retail accounts. Are banks and credit unions viewing authentication and fraud detection differently for commercial and retail customers?
BURTON: I think they may be viewing them differently in terms of how they may view the security procedures that they have to or that they thought ought to apply. I think the reality is that the FFIEC does not view them differently, and there appears to be a significant amount of confusion I think on this point. Some of that confusion is also reflected in the court decisions. What I mean by that is this - the FFIEC in the most recent guidance talked about a couple of areas. One of those areas was the authentication of transfer requests. Another area was discussion of layered security and then finally there was in the guidance a discussion of customer education, and also the effectiveness of certain authentication techniques.
I think what happened in a lot of instances is that what people took away from the guidance was a focus on authentication and less of a recognition and focus on the concept of layered security of which authentication is only one part. The guidelines go specifically into other means of layered security that could be used in order to make a transaction safer. Some of those include things like fraud detection and out-of-bound verification, etc., some standard or at least well-known techniques in the area. And what it seems like has happened is that to date there has been a focus on this notion of authentication and the focus on the correct technology to use to authenticate and less of a focus on perhaps some of the other layers of protection that can be used. I think a good example of it is the whole notion of fraud detection, which if you think about banking on the retail side with respect to credit cards and often times debit cards, a good part of the security in that area is driven by techniques like fraud detection and monitoring as a methodology of assuring that there's no fraud in a transaction. Where as, if you look at the ACH cases, it would appear that the focus is on authentication where we're talking about one factor or multi-factor authentication. If there's any lesson to be learned from the cases and from the FFIEC, it's that layered security is the key and that the FFIEC really sees layered security being the key for both commercial and for retail-level transactions.
FFIEC Guidance
KITTEN: According to our Faces of Fraud survey, 29 percent of the banks and credit unions that responded said they don't fully understand the guidance and it sounds like from what you're saying you agree that they're focusing too much on authentication and then ignoring some of these other layers that they should be investing in.
BURTON: It's hard to know why, but as I also said it seems to come out with respect to the cases and frankly with the discussion in some of the cases about this area that there's a conflation of this notion of authentication, which I would call a front-end - if you will - security mechanism and the back-end security mechanism which involves things like fraud detection and out-of-band verification and other techniques that could be used. It's clear that FFIEC sees both of those, both the front-end and the back-end, as being critical to that, but the industry in some ways does not yet appear to have picked up on this distinction.
In light of the decision particularly in the Experi-Metal case, the back-end processes become more important. That's because under Experi-Metal, it's pretty clear that a financial institution can fairly well insulate itself against legal attacks based on the notion that its authentication procedures were inappropriate, and it can do that via contracts which essentially have the customer admit that the procedures are commercially reasonable. Certainly that would protect an institution where the ball is anywhere near the strike zone. I think if the ball is way outside the strike zone, even in that circumstance, the courts may be reluctant to do it. But if it's close, if it's arguable and there's a provision in which it has the customer admit it, you're going to be protected on the authentication end, but what's clear from Experi-Metal is that you're not going to be protected with respect to an analysis of whether or not you've acted in good faith, which considers all of the facts and circumstances surrounding the transaction. Just like in the Experi-Metal case, the court seems to look at a lot of these back-end security procedures and gave less investigation to the front-end authentication problem.
KITTEN: From a legal perspective, do you see the courts turning to the FFIEC guidance for background and insight when it comes to defining reasonable security and perhaps the authentication and detection solutions they're investing in?
BURTON: I think that the FFIEC will be seen as sort of a baseline standard, which if it's not met, there would be at least a presumption that the institution in that case was not acting reasonably.