The US Federal Financial Institutions Examination
Council has issued a fresh set of guidelines covering online
banking and measures banks should take to protect their customers.
As Charles Davis reports, the new rules – the latest in a wave of
regulations to hit US bankers – have not been universally well
Online bankers in the US are critical of the Federal
Financial Institutions Examination Council’s (FFIEC) new rules
detailing the measures financial institutions are expected to take
in order to protect internet banking customers from fraud and
misuse of their data.
While most observers praised the
FFIEC for trying to keep up with evolving fraud threats and for
adapting to emerging technologies, many questioned the time lag and
lack of attention paid to distinguishing between mobile and online
FFIEC, which prescribes standards
and principles for the US Federal Reserve Board, the Federal
Deposit Insurance Corporation, the National Credit Union
Administration, the Office of the Comptroller of the Currency and
the Office of Thrift Supervision, warned banks that multi-factor
authentication is now ineffective in the face of the latest
generation of attack software.
“Various complicated types of
attack tools have been developed and automated into downloadable
kits, increasing availability and permitting their use by less
experienced fraudsters,” the council wrote.
The guidelines, announced in June,
take effect in January 2012. Then, banks, thrifts, credit unions
and other types of financial institutions overseen by FFIEC
agencies will be expected to meet or exceed the revised guidelines
and will be judged accordingly by FFIEC examiners.
According to the FFIEC, cybercrime
complaints have risen substantially each year since 2005,
particularly with respect to commercial accounts. In the third
quarter of 2009 alone, computer scams targeting commercial deposit
accounts cost US companies $120m.
The FFIEC’s report says adequate
behavioural monitoring would have stopped many recent frauds in
The guidelines state institutions
should rely on more than one authentication method for online
bankers and should consider providing different levels of user
authentication for different types of online banking transactions.
Financial institutions should implement layered levels of online
security that are consistent with the risk presented by various
consumer transactions, the FFIEC added.
Layered security can include
advanced fraud detection and monitoring systems and the use of
debit blocks and other techniques to limit the amount that can be
withdrawn from an account at a given time. Enhanced controls over
the number of transactions allowed per day, the timing of any
payments, the recipients of those payments, and other account
activities can also be added.
Such layered controls may include
the use of dual authorisation through different devices. An example
might be a requirement that a consumer applying for a credit line
increase online, and using a different channel (such as a home
telephone) to complete the application.
At some point in the process, the
applicant would receive an automated call from the card issuer
providing a PIN. The applicant would type the PIN into the online
application as an additional form of user authentication, to ensure
the user is who he claims to be.
Other examples of controls include
limits on account activities, such as transaction value thresholds,
restrictions on payment recipients, number of transactions allowed
per day and allowable payment windows (such as allowing payments
only during normal business hours).
Institutions should “perform
periodic risk assessments considering new and evolving threats to
online accounts and adjust their customer authentication, layered
security, and other controls as appropriate in response to
identified risks”, the FFIEC said.
Institutions can use software that
blocks connections to web servers that have previously been
involved in fraudulent transactions, the FFIEC said. Customers
should also be made aware of fraud risks and the potential impact
of fraud on their accounts, the FFIEC added.
Another key component of the
guidelines is concerned with customer awareness and education.
Among other things, this will involve communicating to customers
the protections being provided to them and providing contact
information for customers wanting to report suspicious account
Bankers’ biggest concern is that
the language used to define multi-factor authentication is too
vague. Dating back to the 2005 guidance, the FFIEC says the concept
of authentication is broad and that, while the document describes
the multi-factor as being more than one initial authentication, it
does not give much clue as to what types of authentication are
Critics also said the rules do
little to distinguish the security regimes needed to protect online
and mobile banking as distinct technologies. And while the updated
guidance addresses layered security in terms of detective and
corrective systems, the guidance ignores the concept of preventive
The guidelines were last revised in
2005, but things have changed considerably since.
Phishing, pharming, malware, and
other threats have become familiar elements of the e-banking
Consumer behaviour has also changed markedly since 2005, with
most US bank customers (36%) now favouring online banking over any
other channel method (see pie chart above).