NACHA, the electronic payments association that manages the ACH network, released in July advice to help banks implement the Federal Financial Institutions Examination Council's updated guidelines for securing Internet banking. The FFIEC's Supplement to Authentication in an Internet Banking Environment, released in 2011, updates previous FFIEC regulatory guidelines for financial institutions and includes additional requirements for fraud prevention measures and policies.
NACHA managing director Deborah Shaw says the association thought it would be helpful to provide a resource for banks as they implement the supplement's provisions. NACHA's Sound Business Practices for Implementing Provisions of the Supplement were developed by the organization's Risk Management Advisory Group, with input from financial institutions and regional payments associations. The prescribed best practices are drawn from "real-life experiences of different financial institutions," according to Shaw. "It's an opportunity to see what your peers are doing and what you can learn from them."
NACHA's recommended best practices cover five areas of transaction security: risk assessments; customer authentication for high-risk transactions; layered security programs; the effectiveness of certain authentication methods; and customer education.
Please click through to see the first step.
The FFIEC recommends that banks update their risk assessment processes at least every 12 months and factor in changes to the threat environment, customer adoption and any incidents of fraud attacks when making changes to its assessments. But NACHA suggests more frequent reviews and updates.
Some of the environmental changes that NACHA says should trigger additional risk assessments include changes in the customer base that uses electronic transactions and the introduction of new electronic funds transfer services. NACHA also suggests that banks review any attempted security breaches to help determine fraud patterns and correct any problems.
The FFIEC says banks should never rely on any single control for authorizing high-risk transactions. The higher the risk with a given transaction, the more controls that should be put in place. In general, customer transactions are less risky than commercial ones, the FFIEC notes.
According to NACHA, banks should monitor consumer and commercial accounts on a daily, weekly, monthly and quarterly basis for unusual activity, while also ensuring that security procedures and tools are kept up to date. Procedures should be in place for how to handle transactions that seem out of the ordinary. Banks should also be tracking failed attempts to log on to an account, NACHA says. For commercial accounts, the association also recommends establishing file and exposure limits, as well as processing schedules, for originating customers.
The FFIEC argues that layered security allows the strength of one control to offset the weakness of another. At a minimum, the FFIEC expects banks to have two key components in a security program: the ability to detect and respond to suspicious activity, and, for commercial accounts, enhanced controls for system administrators. Some of the controls recommended by the FFIEC include dual authorization through multiple devices and policies for dealing with compromised customer devices.
NACHA adds that banks must understand the benefits and drawbacks of different security techniques within a layered program. Banks should be current on new technologies and security regulations. Different techniques might be tailored to different types of accounts, as well. Controls should be based on the behavior patterns found in the account.
[The Cybersecurity Imperative: How Banks Can Combat Cybercrime ]
The FFIEC recommends using complex device authentication methods that leverage one-time cookies and examine PC configurations, IP addresses, geolocation and other factors. According to the regulatory body, challenge questions also should be employed as a secondary authentication method.
NACHA reiterates the need for complex device authentication methods, but also points out that methods should be updated as authentication technologies evolve and progress. NACHA further recommends using different challenge questions for different sessions.
Banks' customer awareness programs should explain protections provided by the institution that deal with electronic funds transfers, according to the FFIEC. They also should explain any circumstances that would cause the bank to contact the customer and request electronic banking credentials. Commercial customers should be advised to conduct their own regular risk assessments, and banks should provide information about alternative control mechanisms that customers might want to consider for mitigating their own risk. Customers should have access to information about who to contact at their bank if they notice any suspicious activity.
NACHA stresses that banks need to understand that customer education is an ongoing process that requires repeated messages. Posting one-time notices is not enough, the association says. Educational materials should also be easy for customers to understand -- don't use industry jargon. Further, banks need to ensure that customers who contact them regarding suspicious account activity receive a prompt reply. Customers need to be aware of their rights under Regulation E -- the Federal Reserve rules governing electronic funds transfers -- and customers not covered by the regulation should understand what that entails.
The FFIEC's Supplement to Authentication in an Internet Banking Environment can be downloaded at tinyurl.com/9hx7smm.
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio