In July 2011, the Federal Financial Institutions Examination Council (FFIEC) published a supplement to its 2005 guidelines, “Authentication in an Internet Banking Environment.” The supplement, which is available here, notes that Internet fraud has become more sophisticated in recent years:
“Since 2005, there have been significant changes in the threat landscape. Fraudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts. Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls. . . . Cyber crime complaints have risen substantially each year since 2005, particularly with respect to commercial accounts. Fraudsters are responsible for losses of hundreds of millions of dollars resulting from online account takeovers and unauthorized funds transfers.”
To stop this rising tide of fraud, financial institutions need to strengthen their anti-fraud defenses, educate their customers, and become more effective overall at combatting fraud. The FFIEC supplement offers general guidelines for doing so.
What new guidelines does the FFIEC propose?
First, “financial institutions should perform periodic risk assessments and adjust their customer authentication controls as appropriate in response to new threats to customers’ online accounts.”
Second, “financial institutions should implement more robust controls as the risk level of the transaction increases.” Because they typically hold fewer funds, retail banking accounts are generally at less risk than commercial banking accounts. But both types of accounts need more effective security.
To implement new “robust controls,” institutions should take a layered approach to security.
“Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. Layered security can substantially strengthen the overall security of Internet-based services and be effective in protecting sensitive customer information, preventing identity theft, and reducing account takeovers and the resulting financial losses.”
Layered security can include such measures as more rigorous authentication, anomaly detection, out-of-band verification of transactions, IP-address blacklists to block connections from sites known to be involved in fraud, and more frequent use of challenge questions as part of the authentication process.
The trick, of course, is not only to strengthen security, but to do so in a way that improves the customer’s experience.
At the same time that financial institutions are going back to the drawing board on Internet security, they’re trying to appeal to the changing marketplace of online services. Users are more Internet-savvy. They’re connecting from multiple devices, including smartphones and tablets. And they’re accustomed to fast, easy-to-use services for getting directions, selecting restaurants, booking hotels, and—why not?–banking. Life is moving now at Internet speed. Users are impatient. And they’re not terribly loyal to any particular brand or institution.
How should financial institutions proceed? Here are some thoughts:
While layering on new defenses, look for ways to streamline or simplify customer interactions and business workflows.
A good first step is to benchmark your existing workflows, so that throughout the design process you have a well-understood performance standard to meet or exceed. How many steps are involved in your current authentication process? How long does it take for a typical user to perform them? Does the performance vary on a mobile device? Can you make it even easier—and more secure—for a customer to apply for an account and start banking?
By establishing efficiency as a design goal, financial institutions can deliver better customer experiences even while reducing fraud and complying with the FFIEC’s more rigorous authentication guidelines.
To learn more about Accelerated Insight, our real-time identity verification service for financial institutions, please contact us.