Yesterday the FFIEC released their update to the 2005 Online Banking Guidance - titled "Supplement to Authentication in an Internet Banking Environment".  Below are some first impressions.

As expected, the guidance focuses on Commercial online banking services.  This is because the majority of online banking fraud has occurred through Commercial banking platforms, which allow for higher risk transactions such as ACH and Wire.  The guidance suggests that FI's "recognize and address the fact that not every online transaction poses the same level of risk.   Therefore, financial institutions should implement more robust controls as the risk level of the transaction increases.  They go on to suggest that layered security is appropriate for consumer access (I read into this that they do not seem to expect strong multifactor authentication for consumer access) but multifactor is recommended for Commercial platforms.

The guidance goes into some depth on detecting and responding to suspicious activity, noting that much of the fraud that has been seen could have been prevented by monitoring transactions and identifying activities that are anomalous “compared to the customer’s established patterns of behavior’.  This was a very interesting statement to me.   In an upcoming blog post I’ll go into some detail on transaction monitoring, but at a high level here are some of the things being done today:

• Heuristic/threshold based transaction monitoring and alerting.  This capability is often built-in to the online banking or back-end core application.  In this mode generally thresholds are manually set per customer or set the same for all customers.  If a transaction falls outside this range (frequency, timing, dollar amount, etc.) it generates an alert.  This falls short of the “compared to the customer’s established patterns of behavior” – thresholds are set loosely enough to reduce false positives and as a result bad stuff gets through.
• Look at patterns that do/don’t match normal customer behavior.  This capability is available from third parties such as Guardian Analytics.  In this mode the online banking application’s transaction logs are continuously monitored, and a database of “normal” user behavior is established with patterns unique to each user.  This gets closer to comparing transactions to established behavior patterns, but still leaves some room for false positives.  As a result it becomes less of a “block bad transactions” as a daily manual effort to research all the transactions that are flagged as abnormal for that user.  In addition, if the monitoring service is provided by a third party to the core or online banking provider the monitoring service may be limited in the amount and quality of data available for analysis.
• Look at patters that match typical banking Trojan behavior. This capability is also available from third parties such as Silver Tail.  This type of software monitors web traffic or log files as well, but is looking at each transaction for indicators that it may more likely be a banking Trojan instead of an authorized user.  The software looks at the velocity/frequency of transactions, the path taken through the site, and other triggers that could indicate a virus is at work.  This approach too has a pretty large capacity for false positives and missing true malicious events, and can create a daily research and response burden on the FI.

Just like it took banks and service providers a number of years to get multifactor capabilities worked out and into their products after the initial FFIEC authentication guidance, I think it is again going to take them some time to ‘catch up’ and get adequate transaction monitoring capabilities made available.

I’m very pleased that the guidance highlights activities like control of administrative functions, additional authorization (separation of duties for creation and approval of transactions), and out of band authorization as important controls to consider.  While everyone is looking for a slick technology solution, we have good old-fashioned best practice process controls that could be put in place for virtually every high-risk transaction today.  In commercial online banking services it is the convenience that causes the risk…but maybe clients need to give up some convenience and for example require two employees to login to authorize a new wire or a new ACH recipient.  The guidance reinforces this stance with the strong statement “since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions…”  How the regulators interpret this single statement could mean some pretty big changes for online commercial banking services.

The guidance is very narrow in scope, and I think the joint regulatory bodies are still behind with the current technology trends.  There could have been an opportunity to provide guidance for expectations around topics like mobile banking, remote deposit capture, and the Anti-Money Laundering implications of remote, online and mobile banking services.