Insights
Thought Leadership
July 14, 2011
Updated Regulatory Guidance for Authentication in an Internet Banking Environment: A New Standard of Care?
On June 29, 2011, the Federal Financial Institutions Examination Council (the "FFIEC"), a federal interagency body empowered to prescribe uniform standards of supervision for banks and credit unions, issued new guidance (the "FFIEC 2011 Supplement") updating the FFIEC's minimum supervisory expectations "regarding customer authentication, layered security, and other controls in an increasingly hostile online environment."[1] This updated guidance may create a new standard against which financial institutions' actions will be measured when defending claims by customers in connection with alleged losses involving online account takeovers and unauthorized electronic funds transfers.
According to the FFIEC, cybercrime complaints have risen substantially each year since 2005, particularly with respect to commercial accounts. In the third quarter of 2009 alone, computer scams targeting commercial deposit accounts cost U.S. companies $120 million.[2] Small businesses and nonprofits have suffered some relatively large losses because commercial deposit accounts do not receive the reimbursement protection that consumer accounts do. As a result, there has been a surge in litigation against financial institutions, in which customers allege their financial institutions should have stopped payments.[3]
The updated FFIEC guidance reflects significant changes in the risk landscape. Specifically, banking regulators are concerned that customer authentication methods and controls implemented in conformance with guidance issued several years ago have become less effective. The FFIEC said that "[f]raudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers' online accounts. Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls. Various complicated types of attack tools have been developed and automated into downloadable kits, increasing availability and their use by less experienced fraudsters."[4]
The FFIEC 2011 Supplement, which updates the earlier guidance, Authentication in an Internet Banking Environment (the "FFIEC 2005 Guidance"), issued on October 12, 2005,[5] instructs financial institutions to use certain minimum types of "layered security" and fraud monitoring to better protect against cybercrime. It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution's customer awareness and education program.
Risk Assessment
The FFIEC 2011 Supplement requires financial institutions to review and update existing risk assessments (i) as new information becomes available, (ii) prior to implementing new electronic financial services, and (iii) at least every 12 months. In light of the constantly evolving environment for online banking, financial institution risk assessments should consider, but not be limited to, the following factors:
[1] Supplement to Authentication in an Internet Banking Environment (June 29, 2011), at 1, http://www.ffiec.gov/pdf/Auth-ITS-Final 6-22-11 %28FFIEC Formated%29.pdf. [2] David M. Nelson, Federal Deposit Insurance Corp., FDIC Cyber Fraud and Financial Crime Report, Presentation at RSA Conference 2010 (March 2010), at 12, https://365.rsaconference.com/docs/DOC-2470. [3] See, e.g., Shames-Yeakel v. Citizens Fin. Bank, 677 F. Supp. 2d 994 (N.D. Ill. 2009), plaintiff's cite to the FFIEC 2005 Guidance to support its contention that the defendant bank was negligent in failing to prevent a fraudulent transfer from a commercial deposit account; see also Patco Constr. Co. v. People's United Bank, 2011 U.S. Dist. LEXIS 58112 (D. Maine May 27, 2011), granting summary judgment in favor of defendant based in part on compliance with the FFIEC 2005 Guidance, and Experi-Metal Inc. v. Comerica, Inc., 2010 U.S. Dist. LEXIS 68149 (E.D. Mich. July 8, 2010). [4] Supplement to Authentication in an Internet Banking Environment (June 29, 2011), at 2, http://www.ffiec.gov/pdf/Auth-ITS-Final 6-22-11 %28FFIEC Formated%29.pdf. [5] FFIEC, Authentication in an Internet Banking Environment (2005), at 1-2, http://www.ffiec.gov/pdf/authentication_guidance.pdf.
- Changes in the internal and external threat environment;
- Changes in the customer base adopting electronic banking;
- Changes in the customer functionality offered through electronic banking; and
- Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry.
- Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
- Use of dual customer authorization through different access devices;
- Use of out-of-band verification for transactions;
- Use of "positive pay," debit blocks, and other techniques to appropriately limit the transactional use of the account;
- Enhanced controls over account activities, such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times);
- Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities;
- Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud;
- Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels; and
- Enhanced customer education to increase awareness of the fraud risk and effective techniques they can use to mitigate the risk.
- An explanation of protections provided (and those not provided) to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access;
- An explanation of circumstances (if any) under which and means through which the institution may contact a customer on an unsolicited basis and request the customer's electronic banking credentials;
- A suggestion that commercial online banking customers periodically perform a related risk assessment and controls evaluation;
- A listing of alternative risk control mechanisms customers may consider implementing to mitigate their own risk, or (alternatively) a listing of available resources where such information can be found; and
- A listing of institutional contacts for customers' discretionary use in the event the customer notices suspicious account activity.
[1] Supplement to Authentication in an Internet Banking Environment (June 29, 2011), at 1, http://www.ffiec.gov/pdf/Auth-ITS-Final 6-22-11 %28FFIEC Formated%29.pdf. [2] David M. Nelson, Federal Deposit Insurance Corp., FDIC Cyber Fraud and Financial Crime Report, Presentation at RSA Conference 2010 (March 2010), at 12, https://365.rsaconference.com/docs/DOC-2470. [3] See, e.g., Shames-Yeakel v. Citizens Fin. Bank, 677 F. Supp. 2d 994 (N.D. Ill. 2009), plaintiff's cite to the FFIEC 2005 Guidance to support its contention that the defendant bank was negligent in failing to prevent a fraudulent transfer from a commercial deposit account; see also Patco Constr. Co. v. People's United Bank, 2011 U.S. Dist. LEXIS 58112 (D. Maine May 27, 2011), granting summary judgment in favor of defendant based in part on compliance with the FFIEC 2005 Guidance, and Experi-Metal Inc. v. Comerica, Inc., 2010 U.S. Dist. LEXIS 68149 (E.D. Mich. July 8, 2010). [4] Supplement to Authentication in an Internet Banking Environment (June 29, 2011), at 2, http://www.ffiec.gov/pdf/Auth-ITS-Final 6-22-11 %28FFIEC Formated%29.pdf. [5] FFIEC, Authentication in an Internet Banking Environment (2005), at 1-2, http://www.ffiec.gov/pdf/authentication_guidance.pdf.