FFIEC Supplement to Authentication in an Internet Banking Environment Guidance – What it Says, and How FraudMAP Online Applies

This page summarizes the Guidance Supplement issued in June 2011, and describes how Guardian Analytics FraudMAP® Online - a behavioral analytics solution that identifies suspicious online activity to prevent fraud - can enable financial institutions to meet key new regulatory expectations.

Also within this section, we've provided Resources that will help financial institutions understand their risks and learn about solutions available to help them achieve FFIEC compliance, and Industry Dialog that offers a summary of and links to helpful articles and commentary from across the industry on the updated guidance.

Summary of the Guidance Supplement

On June 28, 2011 the FFIEC released the supplement to its 2005 Authentication in an Internet Banking Environment guidance to establish updated supervisory expectations regarding authentication, layered security and more.

Background. The Supplement noted several factors that led to this update. Fraud threats have increased, including more sophisticated, effective, and malicious methods to compromise authentication mechanisms. Organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls, using more sophisticated techniques such as Man-In-the-Browser. And complex attack tools (e.g. Banking Trojans) are more widely available and used.

Current Controls are Ineffective. The result, using the Agencies' words, is that virtually every form of authentication can be compromised by today's threats and therefore is no longer effective for protecting online accounts and transactions. The Supplement goes further to comment on how device ID (cookies, IP address, geo-location), can also be "proxied," making them ineffective as a fraud defense, and that challenge questions can no longer be considered an effective risk mitigation technique (see pg 2 of the Supplement).

Updated Expectations. Unlike the 2005 Guidance, this Supplement is more specific and clear in setting expectations for what regulators will be looking for starting January 2012. The Supplement has four broad topics that financial institutions must now consider:

• Risk Assessments: Review and update risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months (see pg 3 of the Supplement).
• Add controls for business banking: Establish higher controls for higher-risk activities and transactions. In particular, implement more stringent controls over commercial banking as it has a higher level of risk than retail banking given higher account balances and transaction amounts (see pg 3-4 of the Supplement).

• Institute a layered security program: Must include at a minimum the ability to detect and respond to suspicious activity and improved control of administrative functions that are frequently manipulated in fraud attacks (see chart). Implement additional controls as dictated by risk assessment (see pg 4-5 of the Supplement).
• Enhance customer education: Increase awareness of the fraud risk and effective techniques that account holders can use to mitigate the risk (see pg 7-8 of the Supplement).

Guardian Analytics FraudMAP Online Can Help You Meet Updated FFIEC Expectations

Our company was founded on the idea that the best way to prevent online and mobile banking fraud is to do precisely what the FFIEC is prescribing - look for anomalous activity that is indicative of account takeover and fraud based on normal patterns of individual behavior. Somewhere between login and logout a criminal will do something unexpected or abnormal, at which point the institution can intervene and stop the attack before the money is gone.

The Guidance Supplement reinforces this when it adds, "transaction monitoring and anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer's established patterns of behavior."

But what does it mean to "detect anomalous activity"?

To detect anomalous activity, FraudMAP Online uses behavioral analytics to monitor the online behavior of the individual account holder. FraudMAP Online evaluates all online activities during every online session for behavioral anomalies as compared to what is expected for each account holder based on their online banking history. Rather than solely looking for specific malware, fraud indicators or fraud patterns, all of which are changing rapidly, behavioral analytics determines if exhibited behavior is expected and legitimate, or suspicious. With this approach, FraudMAP Online can detect the widest array of new and emerging fraud attacks. (See graphic for how anomaly detection works to detect fraud.)

FraudMAP Online is the one solution you need to monitor for suspicious activities from login to logout, including:

• How, when and from where customers access their accounts
• Non-financial transactions (e.g. view balance, check images) including the frequency of activities and the kinds of activities that take place during the same session
• The types, frequency and amounts of payments, and who the payees are
• The velocity of activities and transactions
• Expected activities that did not occur

FraudMAP Online is a proven, cost-effective, easy-to-use solution for preventing online and mobile banking fraud. It's in use by more institutions than any other behavior-based solution. And because it's SaaS, it's easy and inexpensive to deploy.