Federal banking regulators on Tuesday updated their 2005 guidance about authentication for Internet banking. Officially a supplement to the original guidance, the new document addresses social media, malware, and other security issues that have cropped up in recent years. It also allows financial institutions about seven months to comply.
The supplement, however, does not mention the word “mobile” even though mobile banking is ramping up quickly and mobile payments are the subject of intense development by banks, technology vendors, payment processors, and networks.
Julie Conroy McNelley, a senior analyst at Boston-based Aite Group LLC, says the lack of guidance specifically about the mobile channel is a “glaring omission.” She notes that the types of transactions the Federal Financial Institutions Examination Council (FFIEC) defines as subject to its guidance for Internet authentication are the same as those that flow through mobile channels. “They’ve missed the opportunity to address those channels,” Conroy McNelley tells Digital Transactions News.
A spokesperson for the Federal Reserve, however, counters that it is inaccurate to say the guidelines don't cover the mobile channel. “Both the 2005 FFIEC Authentication in an Internet Banking Environment guidance and the June 2011 Supplement address all electronic-banking delivery channels, including mobile banking,” she says by e-mail. The Fed is one of the five agencies under the FFIEC’s umbrella.
And a spokesperson for the National Credit Union Administration says that mobile banking is getting more attention from regulators. “Agencies have formed a mobile-banking working group recently,” the spokesperson tells Digital Transactions News by e-mail. “The working group is in the process of enhancing draft mobile-banking guidance. It will take a while to finalize the guidance.”
Besides the Fed and the NCUA, the FFIEC’s other member agencies are the U.S. Treasury Department’s Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp., and the Office of Thrift Supervision, as well as a liaison committee of state financial regulators.
With the need for the agencies to reach agreement on major issues, Conroy McNelley surmises that mobile banking might have been too big a topic for the FFIEC to tackle separately while still getting its much-anticipated update to Internet-banking authentication guidance out in a timely manner. A draft of the FFIEC’s supplement briefly leaked about six months ago on the NCUA’s Web site. “To open it up and to incorporate a completely new concept into something like that probably would have taken longer, and they wanted to get it out because it’s a pressing a issue,” she says.
Tuesday’s supplement sets forth common issues that examiners from the various agencies are to look for when they assess banks and credit unions for safety, soundness, and compliance with federal regulations. “The agencies are concerned that customer-authentication methods and controls implemented in conformance with the guidance several years ago have become less effective,” the 12-page document says.
The supplement says that in response to the 2005 guidance, many financial institutions implemented simple device identification by using cookies, or small data files loaded onto the customer’s personal computer or laptop, to confirm in an online session that the device is the same one the customer enrolled and matches the original log-on identification and password. “However, experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer,” the supplement says. Fraudsters also have learned to evade the geo-location systems and Internet Protocol address-matching systems some financial institutions use. Thus, more complex ID systems would reduce risk, the supplement says.
Regulators also note that social media have undercut the effectiveness of challenge questions used for online-banking authentication. “These questions can often be easily answered by an impostor who knows the customer or has used an Internet search engine to get information about the customer (e.g., mother’s maiden name, high school the customer graduated from, year of graduation from college, etc.),” the supplement says. “In view of the amount of information about people that is readily available on the Internet and the information that individuals themselves make available on social-networking Web sites, institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk-mitigation technique.”
More sophisticated “out-of-wallet” questions that do not rely on publicly available information would provide more security, as would a greater number of questions, according to the FFIEC. The supplement also addresses the rise of malicious software (malware) and reviews several technologies for thwarting it. The supplement does not order the use of any one technology, noting that none is perfect. Instead, it strongly recommends “layered” security systems that use a variety of authentication systems. “Overall, the agencies agree with security experts who believe that institutions should no longer rely on one form of customer authentication,” the supplement says.
Aite Group’s Conroy McNelley says that in contrast to the 2005 guidance, which she calls “way too vague,” the FFIEC struck the right balance in the supplement by pointing out effective technologies without being prescriptive. (The original guidelines were so vague that the feds issued a clarification in 2006.) The regulators also are right in calling for better fraud monitoring by financial institutions, she says.
Depending on the robustness of their current authentication systems, however, many banks and credit unions might have a difficult time meeting the regulators’ enhanced expectations by January, the date the FFIEC says examiners are supposed to address the issues laid out in the supplement. “That, I think is a little unrealistic,” Conroy McNelley says.