While the proliferation of the Internet and electronc banking has provided bank customers with more flexibility and convenience, it has also meant new opportunities for increased criminal activity, including identity theft, account fraud, and money laundering. These threats have created an environment in which financial institutions must establish policies and procedures to safeguard customer information and to verify the identities of new customers.
Financial institutions engaging in Internet banking must have adequate controls to ensure effective and reliable methods for authenticating customer accounts in order to prevent money laundering, terrorist financing, fraud, and identity theft. The potential risks of conducting business with unauthorized persons include financial loss and increased reputational risk due to the improper disclosure of personal information, data corruption, fraud, or unenforceable agreements.
The Federal Financial Institutions Examination Council (FFIEC) has issued new interagency guidance in SR Letter 05-19,1 entitled Authentication in an Internet Banking Environment. The new guidance replaces the FFIEC’s Authentication in an Electronic Banking Environment issued in 2001, and it specifically addresses the need for risk-based assessments, security measures, and customer awareness to reliably authenticate customers using a financial institution’s Internet-based services. The guidance is pertinent to both retail and commercial customers, and it should be used by financial institutions when evaluating and implementing authentication systems, whether in-house or via a service provider. Financial institutions are expected to conform to these guidelines by year-end 2006.
There are a variety of technologies and methodologies for financial institutions to use to authenticate customers. Existing authentication methodologies involve three basic factors: 1) something the user knows (e.g., password, PIN); 2) something the user has (e.g., ATM card, smart card); and 3) something the user is (e.g., biometric characteristics, such as a fingerprint). The FFIEC believes that single-factor authentication is not adequate for high-risk transactions involving access to customer information or the movement of funds to other parties. An example of a single-factor authentication method is a customer logging into an account by entering a password. Multifactor authentication methods provide a stronger level of control. For instance, an Automated Teller Machine (ATM) transaction, which requires physical control of the ATM card and a Personal Identification Number (PIN), is a multifactor authentication method.
Financial institutions should begin with a risk assessment of their Internet banking systems, focusing on the sensitivity of customer information, type of accounts, transactional capabilities, and transaction volumes. The type of authentication process should correspond with the level of risk related to the information and transactions.
Account Origination and Customer Verification
Financial institutions need to have adequate controls in place to verify customer identities. Moreover, customer identity verification during account origination is required by Section 326 of the USA PATRIOT Act, and it is important for reducing identity theft, fraudulent account applications, and unenforceable account agreements and transactions.
Monitoring and Reporting
In addition to preventive controls, institutions should have detective controls that can determine whether there has been unauthorized access to computer systems and customer accounts and that can analyze customer accounts to identify suspicious activities. Also, financial institutions should report suspicious activities to the appropriate regulatory and law enforcement agencies as required by the Bank Secrecy Act.
Financial institutions must continue their efforts to educate customers, because customer education is a key defense against fraud and identity theft. Financial institutions can use a variety of methods to evaluate their customer education efforts by tracking the number of clicks on information security websites, the number of direct mail communications, and the actual losses due to identity theft at the institution.
A financial institution engaging in Internet banking must have adequate policies, procedures, and controls to reliably authenticate customers accessing its Internet-based services to prevent money laundering, terrorist financing, fraud, and identity theft. Risk-based assessments, security measures to reliably authenticate banking resources via the Internet, and customer awareness must be included in an institution’s arsenal of defense against unauthorized transactions.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.