Conducting business online with unauthorized or incorrectly identified persons can expose financial institutions to financial loss and brand erosion. As Internet-based financial services continue to grow, a sound, consistent authentication strategy can help financial institutions prevent losses and reputational damage while complying with requirements to safeguard customer information, prevent money laundering and terrorist-financing activities, inhibit identity theft, and maintain an effective internal control environment.
In October 2005, the Federal Financial Institutions Examination Council (FFIEC) issued a guidance titled "Authentication in an Internet Banking Environment" to curb online fraud within the financial services industry. Under this guidance, all financial institutions regulated by the member agencies of the FFIEC are directed to conduct risk assessments and evaluate customer awareness programs to review the effectiveness of the systems and practices they use to authenticate both retail and commercial customers who engage in online financial activities.
The guidance states that the level of authentication used by the institution should be appropriate to the risks associated with Internet-based financial products and services. It views the use of single-factor authentication alone as inadequate for high-risk transactions that involve access to customer information or the movement of funds to other parties. The FFIEC recommends the use of properly designed and implemented multifactor authentication methods as a more reliable and stronger fraud deterrent.
While compliance with the new guidance is not mandatory, financial institutions should expect FFIEC examiners to assess their progress toward meeting the expectations in the guidance by the end of 2006. Here are some steps to consider:
Conduct a Risk Assessment. Since no two organizations are alike, institutions should select authentication methodologies only after performing an assessment of the risks posed by Internet banking systems. Factors to consider include the type of customer (e.g., retail or commercial), available online transactional capabilities, the sensitivity of the customer information being processed and communicated, the ease of using the communication method and the transaction volume.
Report and Remediate Findings. Many financial institutions have already completed a risk assessment and now face the challenge of deciding how to proceed if the results show that their current authentication techniques are not adequate to minimize losses and reduce identity theft or the loss of personal information.
The guidance describes some common challenges and potential solutions, but does not endorse a particular authentication method. The options available range from layering security controls to implementing enterprise security solutions to enforce and monitor multifactor authentication requirements.
Authentication Methods. Financial institutions may opt for one or more authentication strategies, based on the nature, scope and complexity of the transactions that customers can conduct online. The three basic forms of authentication are: (1) something the user knows (e.g., a PIN or password), (2) something the user has (e.g., a secure ID token, an ATM card) and (3) some physical trait unique to the user (e.g., fingerprint, retinal scan). An emerging authentication method, behavioral analytics, has become more widely implemented within the banking industry as a supplement to these methods. A key advantage of behavior analytics is that it allows the institution to maintain a behavior profile of each customer based on his/her activity, in effect marrying "what you know" with "what you do."
Multifactor authentication involves the use of more than one form of authentication and can be implemented through a number of different approaches. For example, some online brokers have provided their clients with token-based, one-time password generators. However, security tokens are expensive and there are concerns that customers will either lose them or will forget to carry them around at all times so they can complete transactions.
Other institutions that have implemented multifactor authentication are asking customers to choose an image and phrase to be displayed when they access their online account. Image and text checks are designed to let people know they are on an authentic site and to verify the identity of the customer. Whichever multifactor authentication method is chosen to comply with the guidance, it should be user-friendly and acceptable to customers, interoperable with existing banking infrastructure, and scalable to accommodate growth.
Multifactor authentication methods are more difficult to compromise than single-factor methods. However, the choice of multifactor authentication solutions should be driven by the results of the institution's risk assessment process and tailored to meet an institution's specific business risks and regulatory requirements. The success of any particular strategy also depends on the institution's overall corporate policies, procedures, training and awareness.
Julianne Inozemcev is a partner with Ernst & Young's Technology and Security Risk Services in the New York Financial Services Office. Rudy Bakalov is a senior manager in the practice.