Lessons from FFIEC Authentication ExamBank's Takeaways: Focus on Security, Not Just Conformance
Preparing a strategy for addressing specific risks, rather than focusing on check-box compliance, is the best way to get ready for a regulatory review assessing conformance to the FFIEC Authentication Guidance. That's the advice from one executive at a California community bank that recently went through its exam.
See Also: How to Defend Your Attack Surface
In reviewing conformance with the Federal Financial Institution Examination Council's updated Authentication Guidance, examiners focused on specific risks the bank faced, as well as technology investments completed or planned to address those risks, says Denise Burris, the information services manager at First Northern Bank of Dixon, a $793 million institution.
To address its greatest area of risk - the security gaps manual reviews pose for detection of fraud in online and batched ACH transactions - the bank is investing in a behavioral analytics system that detects transactional anomalies, Burris says. FNB also plans to invest in a similar system for ACH transactions, which will address anomalies in batched files.
And to address authentication and customer education enhancements called for in the guidance, the bank plans to implement out-of-band authentication; stronger challenge questions; and an enhanced customer education program.
Burris advises other organizations preparing for an FFIEC review to:
- Know that examiners are primarily interested in how banks are using technology and policies that truly improve fraud-detection and security.
- Explain the results of risk assessments and how new risks will be gauged;
- Be prepared to demonstrate to examiners that institutions understand the guidance;
- Understand how the guidance's recommendations connect to anti-fraud investments;
- Avoid focusing solely on authentication.
In July, the bank received a satisfactory report from the Federal Deposit Insurance Corp., its regulatory agency, based on the review. Burris stresses that examiners were interested in understanding the efficacy of the bank's long-term security strategy, rather than determining that the bank was trying to comply with specific guidance recommendations.
"They were interested in where we were with the guidance, our knowledge of the guidance and our interpretation of the guidance," Burris says. "So we had discussions about our plans going forward and what we have in place now."
In its updated guidance, the FFIEC calls for several areas for improvement, among them: ongoing risk assessments, layered security controls, stronger user authentication practices and enhanced customer/member education initiatives.
FNB has never experienced an incident of corporate account takeover or any other type of online fraud event. But Burris says the bank realized it was time to enhance security and address specific risks - namely risks posed by the bank's continued reliance on manual fraud-detection processes.
In November, FNB implemented FraudMap Online-Business, a behavioral analytics system from Guardian Analytics. The application addresses the specific risks of business accounts with multiple online users.
Burris says FraudMap has enabled FNB to establish profiles for each of its business accounts. The application focuses on user-session behavior - common IP addresses, typical times of day when accounts are accessed, transaction behavior patterns, failures at log-in and modifications to account access rights.
FNB launched FraudMap with six months of customer data. Going forward, transactional and account history will continue to be built into the behavioral profile to improve potential fraud detection, she says.
"Since our launch, we have detected logins from different IP addresses," Burris says. "We also detected one first-time user who had logged in just after opening the account to immediately schedule a wire transfer. That's a transaction that could signal fraud, but we would not have picked up on that had we not had the system. It really gives us a different way of looking at the data."
Burris says the examiners quizzed FNB executives about their use of the technology as well as its plans to implement FraudMap ACH, a complementary application that provides anomaly detection for the ACH payments.
The technology, which uses behavioral analytics to monitor ACH file origination, should help the bank improve its ability to automatically identify suspicious or unexpected batched transactions and/or modified line items, Burris says. The bank expects to implement the application by year's end.
For now, FNB continues to manually review batched transactions. "The customer e-mails us to tell us the total amount of the batch," Burris says. But with hundreds of transactions in one batched file, Burris says it's impossible to catch everything with a manual review, she says.
With FraudMap, the review of ACH files will be completely automated, detecting if any payees, for instance, have been changed or if line-item amounts in the batch are atypical.
FNB manages 112 commercial accounts, 60 of which run batched payroll transactions through the bank. Additionally, FNB has more than 850 users within the companies that own those accounts. So at any time, numerous users could be accessing accounts and scheduling payments.
"We are a small community bank, and we knew we really needed more of an automated product to cover our processes sufficiently," she says. "We know the threats aren't going away, and there is only so much you can do to educate your customers."
Customer education is a focus for the bank, Burris says, but it wasn't the priority.
"As you learn more about the threats, you have to make some sort of move, and you know your businesses are not going to do enough to protect themselves," she says. "The bank can try to monitor the customers and ensure that they have firewalls and other protections in place, but at the end of the day, the bank has to be prepared as best it can.
Burris says FNB was concerned about conformance, but enhanced security was the goal. And examiners were satisfied with that approach.
"As we explained, it was a business decision for us," Burris says. "Our businesses expect us to cover some of that fraud if it occurs, which could be a huge loss. And even if we covered a loss, we could run the risk of losing the client. We have not had any account takeovers in the past, but we consider ourselves lucky. Many banks and credit unions our size have been hit."
The FDIC is not expected to visit FNB again until next May, when the bank's scheduled to undergo its IT exam.
For now, FNB is moving forward with its plans to implement out-of-band authentication using a one-time PIN; out-of-wallet challenge questions; and customer education. The bank is working with its online banking platform provider, ACI Worldwide, to help implement these technologies.
Burris says FNB is steering clear of hardware tokens for authentication. "We don't really like the management of the token process," she says. Instead, the bank is reviewing options for one-time authentication codes or PINs that are texted to a user's mobile phone.