01:13 PM
Julianne Inozemcev and Rudy Bakalov, Ernst & Young
Julianne Inozemcev and Rudy Bakalov, Ernst & Young
Connect Directly

Banks Get New Guidance on Online Authentication

Conducting business online with unauthorized or incorrectly identified persons can expose financial institutions to financial loss and brand erosion. As Internet-based financial services continue to grow, a sound, consistent authentication strategy can help financial institutions prevent losses and reputational damage while complying with requirements to safeguard customer information, prevent money laundering and terrorist-financing activities, inhibit identity theft, and maintain an effective internal control environment.

In October 2005, the Federal Financial Institutions Examination Council (FFIEC) issued a guidance titled "Authentication in an Internet Banking Environment" to curb online fraud within the financial services industry. Under this guidance, all financial institutions regulated by the member agencies of the FFIEC are directed to conduct risk assessments and evaluate customer awareness programs to review the effectiveness of the systems and practices they use to authenticate both retail and commercial customers who engage in online financial activities.

The guidance states that the level of authentication used by the institution should be appropriate to the risks associated with Internet-based financial products and services. It views the use of single-factor authentication alone as inadequate for high-risk transactions that involve access to customer information or the movement of funds to other parties. The FFIEC recommends the use of properly designed and implemented multifactor authentication methods as a more reliable and stronger fraud deterrent.

While compliance with the new guidance is not mandatory, financial institutions should expect FFIEC examiners to assess their progress toward meeting the expectations in the guidance by the end of 2006. Here are some steps to consider:

Conduct a Risk Assessment. Since no two organizations are alike, institutions should select authentication methodologies only after performing an assessment of the risks posed by Internet banking systems. Factors to consider include the type of customer (e.g., retail or commercial), available online transactional capabilities, the sensitivity of the customer information being processed and communicated, the ease of using the communication method and the transaction volume.

Report and Remediate Findings. Many financial institutions have already completed a risk assessment and now face the challenge of deciding how to proceed if the results show that their current authentication techniques are not adequate to minimize losses and reduce identity theft or the loss of personal information.

The guidance describes some common challenges and potential solutions, but does not endorse a particular authentication method. The options available range from layering security controls to implementing enterprise security solutions to enforce and monitor multifactor authentication requirements.

Authentication Methods. Financial institutions may opt for one or more authentication strategies, based on the nature, scope and complexity of the transactions that customers can conduct online. The three basic forms of authentication are: (1) something the user knows (e.g., a PIN or password), (2) something the user has (e.g., a secure ID token, an ATM card) and (3) some physical trait unique to the user (e.g., fingerprint, retinal scan). An emerging authentication method, behavioral analytics, has become more widely implemented within the banking industry as a supplement to these methods. A key advantage of behavior analytics is that it allows the institution to maintain a behavior profile of each customer based on his/her activity, in effect marrying "what you know" with "what you do."

Multifactor authentication involves the use of more than one form of authentication and can be implemented through a number of different approaches. For example, some online brokers have provided their clients with token-based, one-time password generators. However, security tokens are expensive and there are concerns that customers will either lose them or will forget to carry them around at all times so they can complete transactions.

Other institutions that have implemented multifactor authentication are asking customers to choose an image and phrase to be displayed when they access their online account. Image and text checks are designed to let people know they are on an authentic site and to verify the identity of the customer. Whichever multifactor authentication method is chosen to comply with the guidance, it should be user-friendly and acceptable to customers, interoperable with existing banking infrastructure, and scalable to accommodate growth.

Multifactor authentication methods are more difficult to compromise than single-factor methods. However, the choice of multifactor authentication solutions should be driven by the results of the institution's risk assessment process and tailored to meet an institution's specific business risks and regulatory requirements. The success of any particular strategy also depends on the institution's overall corporate policies, procedures, training and awareness.

Julianne Inozemcev is a partner with Ernst & Young's Technology and Security Risk Services in the New York Financial Services Office. Rudy Bakalov is a senior manager in the practice.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.