FFIEC Security Guidance

Federal Financial Institutions Examination Council (FFIEC)

If you use online banking, mobile banking, or other internet banking services as a consumer or as a business, you will be interested to know that six federal financial industry regulators have recently teamed up to make all of your personal and business accounts more secure.  New supervisory guidance from the Federal Financial Institutions Examination Council (FFIEC) will help banks strengthen their vigilance to assure that your accounts are properly secured and to make virtually all types of online transactions safer and more secure.

Consumer Guidance: Account Authentication & Online Banking
Multi-factor authentication and layered security are helping assure safe internet transactions for banks and their customers.

Business Guidance: Risk Assessment & Layered Security
New financial standards help banks and business account holders make online banking safer and more secure from account hijacking and unauthorized funds transfers.

Authentication: Understand the Factors
The authentication process is of vital importance to verify that YOU, and not someone who has stolen your personal identity or hijacked your corporate account, is conducting your online transactions.  Authentication usually involves one or more basic factors:

  • something the user KNOWS (such as a password or PIN)
  • something the user HAS (such as an ATM Card or Token)
  • something that the user IS (a biometric characteristic such as a fingerprint)

Single factor authentication uses one method.  Multi-factor authentication uses more than one method, and is a much stronger fraud deterrent.

Internal Assessments at Your Bank
The new supervisory guidance offers ways your bank can look for anomalies that could indicate fraud.  First Bank of Tennessee has conducted a comprehensive risk-assessment of it’s current methods with regards to the following:

  • changes in the internal and external threat environment
  • changes in the customer base adopting electronic banking
  • changes in the customer functionality offered through electronic banking, and
  • actual incidents of security breaches, identity theft, or fraud experienced by the institution or the industry.

Whenever an increased risk to your transaction security may warrant it, your bank will be able to conduct additional verification procedures or layers of control such as:

  • utilizing call back (voice) verification, email approval, or cell phone based identification
  • employing customer verification procedures
  • analyzing banking transactions to identify suspicious patterns
  • establishing dollar limits that require manual intervention to exceed a preset limit

Your Protections Under “Reg E”
Banks are required to follow specific rules issued by the Federal Reserve Board, known as Regulation E, for electronic transactions.  Reg E covers all kinds of situations revolving around transfers made electronically.  Under the consumer protections provided under Reg E, you can recover internet banking losses according to how soon you detect and report them.

What the Federal Rules of Reg E require:
If you report the losses within two (2) days of receiving your statement, you can be liable for the first $50.  After two (2) days, the amount you can be liable for increases to $500.  After sixty (60) days, you could be liable for the full amount.  Details of your rights are included on each account statement.

Customer Vigilance!
Knowing how fraudsters may try to trick you and understanding the risks is critical to safe online banking.  You can take further steps to protect yourself and make your computer safer by installing and regularly updating:

  • anti-virus software
  • anti-malware programs
  • firewalls on your computer
  • operating system patches and updates

Additional steps include:

  • create strong complex passwords that contain both CAPITAL and small letters, numbers and any allowed special characters
  • if you think you may have visited a website with malware or if you think your computer may be infected with a virus, do not access your online banking or other sensitive logins until you have scanned your computer and know it is is clean and virus free

You can also learn  more by watching our online tutorials on our Online Education Center and by visiting the sites recommended and listed to the right side of your screen.

Understand the Risks
FFIEC studies show significant increase in cyber threats.  Not only do fraudsters continue to deploy  more sophisticated methods to compromise security measures, they now manufacture computer hacking kits to sell illegally to less experienced fraudsters.

Corporate Account Takeover (CAT)
Corporate Account Takeovers have increased every year, representing losses of hundreds of millions of dollars.  When a Corporate Account Takeover (CAT) occurs, legitimate login credentials are stolen by computer hackers, and fraudulent transfers (ACH or Wire Transers) are completed before the business account owner knows what happened.

Layered Security for Increased Safety
Layered security is characterized by the use of different controls at different points in a transaction process, so that a weakness in one control area is compensated by a strength in another control area.

Layered security can substantially strengthen the overall security of online transactions by protecting sensitive customer information, preventing identity theft, and reducing account takeovers with their resulting financial losses.

Added layers of security allow your bank to authenticate customers and detect and respond to suspicious activity related to initial login and then reconfirm this authentication when further transactions involve transfers of funds or higher risk actions.

Examples of Layered Security for Businesses
For business accounts, layered security can include enhanced controls for system administrators who are granted privileges to set up or change system configurations, and control access privileges and application functions or limitations for their own staff and users.   Added layers can include:

  • fraud detection and monitoring systems that include consideration of your transaction history and behavior
  • dual customer authorization through different access devices
  • out-of-band verifications for certain transactions
  • “Positive Pay” debit blocks or other techniques that limit transactions
  • transaction value thresholds that restrict the number or amount of transactions for a set time frame
  • Internet Protocol (IP) reputation-based tools
  • policies and procedures for addressing customer devices that have been potentially compromised, or for detecting customers who may be facilitating fraud
  • account maintenance controls over activities performed online or through customer service channels.

Recommendations for Business Accounts

  • conduct periodic assessments of internal controls
  • use layered security for system administrators
  • initiate enhanced controls over high-dollar transactions
  • provide increased levels of security as transaction risk increase

If You Have Suspicions
If you notice suspicious activity within your account or experience a security related event (such as loss of token, compromised PIN or Password, known or suspected infection of computer or network by viruses or malware, etc) please contact your bank immediately, and you will be quickly and courteously directed to a customer service representative who can assist you with these matters.