On June 29, 2011, the Federal Financial Institutions Examination Council (the "FFIEC"), a federal interagency body empowered to prescribe uniform standards of supervision for banks and credit unions, issued new guidance (the "FFIEC 2011 Supplement") updating the FFIEC's minimum supervisory expectations "regarding customer authentication, layered security, and other controls in an increasingly hostile online environment." This updated guidance may create a new standard against which financial institutions' actions will be measured when defending claims by customers in connection with alleged losses involving online account takeovers and unauthorized electronic funds transfers.
According to the FFIEC, cybercrime complaints have risen substantially each year since 2005, particularly with respect to commercial accounts. In the third quarter of 2009 alone, computer scams targeting commercial deposit accounts cost U.S. companies $120 million. Small businesses and nonprofits have suffered some relatively large losses because commercial deposit accounts do not receive the reimbursement protection that consumer accounts do. As a result, there has been a surge in litigation against financial institutions, in which customers allege their financial institutions should have stopped payments.
The updated FFIEC guidance reflects significant changes in the risk landscape. Specifically, banking regulators are concerned that customer authentication methods and controls implemented in conformance with guidance issued several years ago have become less effective. The FFIEC said that "[f]raudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers' online accounts. Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls. Various complicated types of attack tools have been developed and automated into downloadable kits, increasing availability and their use by less experienced fraudsters."
The FFIEC 2011 Supplement, which updates the earlier guidance, Authentication in an Internet Banking Environment (the "FFIEC 2005 Guidance"), issued on October 12, 2005, instructs financial institutions to use certain minimum types of "layered security" and fraud monitoring to better protect against cybercrime. It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution's customer awareness and education program.
The FFIEC 2011 Supplement requires financial institutions to review and update existing risk assessments (i) as new information becomes available, (ii) prior to implementing new electronic financial services, and (iii) at least every 12 months. In light of the constantly evolving environment for online banking, financial institution risk assessments should consider, but not be limited to, the following factors:
Customer Authentication for "High-Risk Transactions"
In its 2005 Guidance, the FFIEC defined "high-risk transactions" as "electronic transactions involving access to customer information or the movement of funds to other parties." Although the FFIEC does not change this definition in the FFIEC 2011 Supplement, it recognizes that "not every online transaction poses the same level of risk." Specifically, the FFIEC notes the risks posed by online consumer transactions (e.g., accessing account information, bill payment, intrabank funds transfers, occasional interbank funds transfers or wire transfers) are generally lower than the risks posed by online business transactions (e.g., ACH file origination, frequent interbank wire transfers), particularly when taking into account the frequency and dollar amounts of these transactions.
In light of the varied risks, financial institutions should implement layered security consistent with the risk for covered transactions. For commercial transactions, financial institutions are advised to use controls consistent with the increased level of risk for covered business transactions.
According to the FFIEC, effective controls that may be included in a layered security program include, but are not limited to, the following:
The FFIEC expects an institution's layered security program will contain, at a minimum, (i) manual or automated transaction monitoring or anomaly detection and response processes, to detect and respond to suspicious account activity, and (ii) enhanced controls for customers and system administrators who are granted privileges to set up or change system configurations, such as setting access privileges and application configurations and/or limitations.
Further, the FFIEC recognizes the usefulness of challenge questions as an effective component of a layered online security program. In view of the amount of information about people that is readily available on the Internet and that individuals themselves make available on social networking websites, the FFIEC advised that "institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique" [emphasis added]. Rather, the FFIEC notes, challenge questions can be implemented more effectively using "out of wallet" questions that do not rely on information that is often publicly available. Sophisticated challenge question systems usually require the customer to correctly answer more than one question and often include a "red herring" question designed to trick the fraudster, one that the legitimate customer will recognize as nonsensical.
Finally, the FFIEC stresses the effectiveness of customer awareness and education programs for both retail and commercial account holders. At a minimum, such awareness and education efforts should address the following elements:
In the past, plaintiffs' attorneys and the courts have looked to the FFIEC 2005 Guidance as establishing the minimum standard of care for determining whether institutions have adopted commercially reasonable methods of providing security against unauthorized payment orders. Going forward, financial institutions should expect that the FFIEC 2011 Supplement, requiring annual risk assessments and enhanced authentication and monitoring for Internet-based banking transactions, will set a new, higher minimum standard of care for the industry.
At Day Pitney, we believe a strong offense is our clients' best defense to minimize the risks of an adverse outcome in a regulatory review or in litigation. In light of the importance of the newly issued FFIEC 2011 Supplement, we recommend each financial institution carefully review the FFIEC's updated guidance and consider undertaking an early risk assessment and internal controls review to be sure the institution complies with the announced minimum supervisory expectations. Further, by working together with appropriate technology experts, financial institutions should develop a plan for implementing enhanced authentication and monitoring consistent with the updated FFIEC guidance.
The Day Pitney Compliance and Risk Management team would be pleased to speak with you in more detail about the new FFIEC 2011 Supplement or any related subject matter.
 Supplement to Authentication in an Internet Banking Environment (June 29, 2011), at 1, http://www.ffiec.gov/pdf/Auth-ITS-Final 6-22-11 %28FFIEC Formated%29.pdf.
 David M. Nelson, Federal Deposit Insurance Corp., FDIC Cyber Fraud and Financial Crime Report, Presentation at RSA Conference 2010 (March 2010), at 12, https://365.rsaconference.com/docs/DOC-2470.
 See, e.g., Shames-Yeakel v. Citizens Fin. Bank, 677 F. Supp. 2d 994 (N.D. Ill. 2009), plaintiff's cite to the FFIEC 2005 Guidance to support its contention that the defendant bank was negligent in failing to prevent a fraudulent transfer from a commercial deposit account; see also Patco Constr. Co. v. People's United Bank, 2011 U.S. Dist. LEXIS 58112 (D. Maine May 27, 2011), granting summary judgment in favor of defendant based in part on compliance with the FFIEC 2005 Guidance, and Experi-Metal Inc. v. Comerica, Inc., 2010 U.S. Dist. LEXIS 68149 (E.D. Mich. July 8, 2010).
 Supplement to Authentication in an Internet Banking Environment (June 29, 2011), at 2, http://www.ffiec.gov/pdf/Auth-ITS-Final 6-22-11 %28FFIEC Formated%29.pdf.
 FFIEC, Authentication in an Internet Banking Environment (2005), at 1-2, http://www.ffiec.gov/pdf/authentication_guidance.pdf.
Paul Belval will be co-presenting a webinar, "Developing and Financing Wind Energy Projects: Contract Provisions, Protecting Developer and Landowner Interests," for Strafford.
Day Pitney Alert
On January 9, partner Michael Kaufman co-presented a live CLE webinar, "Intercorporate Guaranties and Integrated Transactions: Avoiding Fraudulent Conveyance Exposure in Bankruptcy," sponsored by Strafford.
Paul Belval will be speaking on "Alternative Financing for Renewable Energy Projects: Evaluating Options, Structuring the Deal" for a webinar presented by Strafford.
Steven Cash co-authored an article, "Evolution of a Valuable Tool for Attorneys: Business Intelligence Practitioners," for the New York Law Journal.
Day Pitney Press Release
Day Pitney Press Release
Day Pitney Press Release
Day Pitney represented AlphaCrest Capital Management LLC (AlphaCrest), a quantitative research and technology-driven systematic trading firm based in New York, in connection with (i) the acquisition of a minority ownership interest in AlphaCrest by Brummer & Partners, an alternative investment manager based in Sweden and (ii) an investment by Brummer's BMS Multi-Strategy fund of funds in AlphaCrest Offshore Strategies Fund Ltd., an affiliated offshore feeder fund of the investment manager.
Day Pitney Press Release