The Federal Financial Institutions Examination Council last summer released the supplement to its “Authentication in an Internet Banking Environment” guidance, which was first issued by the FFIEC in 2005.
The deadline for meeting the new requirements is now and examinations with the new guideline are getting under way.
These updates of the FFIEC regulations specifically address member authentication, layered security and other controls in the growing online environment.
Listed below are five major questions about compliance with the FFIEC's recent guidance on banking authentication that every credit union should be aware of prior to implementing a solution.
What does “layered security” actually mean?
“Layered security' refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.
What does “multi-factor” authentication actually mean?
A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.
Who does this guidance affect? And does it affect each type of credit grantor/ lender differently?
The guidance pertains to all financial institutions in the U.S. that fall under the FFIEC's influence. While the guidance specifically mentions authenticating in an online environment, it's clear that the overall approach advocated by the FFIEC applies to authentication in any environment.
What will the regulation do to help mitigate fraud risk in the near-term and long-term?
The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system. Fraud tactics evolve constantly and the tools that combat them have to evolve as well. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly.
How are organizations responding?
Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations. Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions. Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, 'layered' approach that the guidance is seeking.
Christopher Ryan is a senior fraud business consultant with Experian's Global Consulting Practice.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
