Post on 19-Oct-2014
description
transcript
Michael J. McEvoyPrincipal, Banking Researchmmcevoy@novarica.com617-243-9500
FFIEC Updated “Guidance” to Financial Institutions
(and what it means)
What It Is
Minimum steps FIs need to take to protect customer data and prevent Online fraud
Previous “guidance” issued in 2005 and 2001
New guidance takes effect in January 2012
1
What Prompted the Update
Consumer Adoption of Digital Channels Has Been Dramatic
Consumer Adoption of
Digital Channels
More Online Functionality
Growing Opportunity
for Fraudsters
Novarica/Novantas research shows shift to digital channels
Banks have improved functionality / transactional capabilities
Emergence of mobile banking – new challenges ahead
More users, more activity per user
–Opportunities for online fraud have risen considerably
3
Basic Banking Transactions Now Well Established Online
4
Customers are Turning to Digital Channels for More Complex Transactions
5
Consumer Adoption of Digital Channels Has Been Dramatic
Consumer Adoption of
Digital Channels
More Online Functionality
Growing Opportunity
for Fraudsters
Novarica/Novantas research shows shift to digital channels
Banks have improved functionality / transactional capabilities
Emergence of mobile banking – new challenges ahead
More users, more activity per user
–Opportunities for online fraud have risen considerably
6
Threats Have Become More Sophisticated, Effective and Malicious
The Internet’s “dark side”
–Easier access to tools to compromise authentication mechanisms
–Phishing, Pharming, Malware
Cybercrime complaints have risen dramatically
–Many involve small businesses and municipalities
–ACH and wire transfers by businesses: more frequent, higher value
Size of opportunity has attracted organized criminal groups
Broadband penetration rates growing globally – increasing threats from outside the US
7
What Prompted the Update?
Since 2005…….
Customer use of the online channels has grown dramatically
Threat level has increased
Also, the FDIC say:
Risk assessments & upgrades were not being done
FFIEC wanted to “raise the bar”
8
What is in the Update?
Three Key Components to the FFIEC’s Approach
Risk Assessment
Layered Security
Customer Awareness
and Education
Regular Risk Assessments
–Triggered more frequently
–More comprehensive than in the past
Layered Security
–Certain controls no longer considered effective
–Additional protections for business customers
–May involve out-of-band verification, dual authorization, account controls, etc.
Customer Awareness and Education
–Educate customers on steps being taken to protect them
–Alerts to customers for suspicious activities on their accounts10
More Triggers for Risk Assessments
Risk Assessments to be Triggered:
–When new information becomes available (e.g. new software threats)
–Before offering new products online / adding significant functionality
–No later than 12 months after previous review
Risk Assessments to be More Comprehensive than in Past to Consider, at a Minimum:
–Changes to internal / external threat environment
–Changes in the customer base for online banking
–Changes in online functionality offered to customers
–Actual incidents of security breaches, identity theft and fraud
Guidance is more specific than in the past
11
Business Accounts to Require Additional Protection
Guidance makes distinction - for first time – between retail and business accounts
Business accounts have a higher risk profile
ACH, wire transfers – more frequent, higher value
Therefore, controls in place for business accounts need to be stronger
12
Additional controls for adding new payees, admins., etc.
Multifactor Authentication should be offered to business customers (for log-in: other types
of controls may be adequate after log-in)
Layered Security – a New Baseline
Different controls at different points in process so weakness in one is compensated for by strength in another. Examples:
―Out-of-band verification
―Restrictions on the account (e.g. positive pay, debit blocks)
―Controls on account activities (e.g. number of transactions per day, allowable payment windows)
At minimum, layered security should include anomaly detection & response:
―At initial customer login, and
―At initiation of funds transfers to other parties
Authentication Controls
Certain types of controls no longer considered adequate, as primary controls
Ineffective:
Simple device identification (e.g. simple cookie)
Simple challenge questions
Effective:
Complex challenge questions (i.e. ‘out-of-wallet’ questions)
Complex device identification
Device reputation
14
What Now?
16
FFIEC Guidance
Risk Assessment
Gap Analysis
Written Action Plan
Vendor Relationships
Prioritize Resources
Prepare Customers
What CIOs Must Do to Prepare for 2012
Start with Risk Assessment
Next, do a Gap Analysis
Create Written Action Plan
Evidence of Dialog with Vendors
Educate Customers, Forewarn them of Changes on the Way
Continuous risk assessment is absolutely essential from now on
– Individual project risk assessment
–Department-by-department risk assessment
–Bank-wide overall risk assessment
• FIs are not absolved of responsibility until vendor implementation
• Meanwhile, improvise:
Internally developed anomaly detection
Transaction Calendar (business customers)
Final Thoughts….
17
FFIEC Updated “Guidance” to Financial Institutions
(and what it means)
http://www.LinkedIn.com/in/michaelmcevoy
Michael J. McEvoyPrincipal, Banking Researchmmcevoy@novarica.com617-243-9500