Everyone's got an opinion on the new guidance that was a long time coming. If you haven't reviewed it yet, you can find it here. Overall, the guidance is vague (like usual) however spends more time and emphasis in some key areas. Here are the highlights and areas where I think examiners will focus for the new guidance that goes into effect in January 2012.
Multi-Factor Authentication/Stronger Authentication Practices: So this isn't the first time Multi Factor has been required and was first suggested in 2005. However, bankers and auditors have long been critical about the authentication options from vendors. What vendors released 5 years ago was in many cases DUAL factor, NOT multi-factor. True multi factor is two of the following: Something you know, something you have, something you are. Verifying a picture or answering questions AND entering a password is NOT two of the above.They are both something you know. Tokens plus a password have worked well for many banks. Some vendors have successfully implemented IP restriction for authentication which suffices for multifactor (password plus something you have, a specific IP) and has worked well against malicious foes. So, on this guidance I believe examiners are going to be more critical on what is and isn't true multi-factor as well as accepting a picture verification or questions as a way to authenticate.
Layered Security: Something new I took from this guidance is a layered approach to sessions. For example, a user may just want to check balances and a password is good enough for that. BUT, if they then try to use bill pay then they are prompted for additional authentication; i.e. a one-time use passcode sent via text or token for the user to input. Once successfully authenticated they can use bill pay. This can be great for commercial users who just may check balances without having to be prompted for additional authentication yet.
Better Risk Assessments: Of course, all these new authentication changes will need to be supplemented by a risk assessment. So, defining which transactions require layered security versus just a password. Which accounts require multi-factor and which ones do not. What type of authentication is the financial institution going to use? etc. This risk assessment will be used to verify any type of online banking practices in place, so if you do not plan on changing authentication requirements very often, get it right the first time. Online banking policies should also reference this risk assessment.
Customer and Employee Awareness: Just like there are education requirements for red flags, the same is being suggested for online banking use. According to the guidance, customers need to better informed on the appropriate use of online banking, how to authenticate, what to watch out for online and what to do if they believe their account/machine is compromised. This can be done with just pointing users to sites about online security or putting together videos or banners on your own site. Or, if you really want to be proactive then hold real life training sessions for your customers that touch on authentication and online security in general.
Onsite Reviews!?!?!?! I did not interpret this anywhere specifically from the guidance, but have seen a couple of examiner recommendations recently about site visits to 'audit' high risk online banking users (ACH originators). Many of our banks require their customers to fill out self assessments about the security of the machines they use for remote deposit to make sure they are well patched, have active anti-virus, password protected, etc. Best practice would be to do the same thing for ACH originators, but then the argument is that they do not have to use the audited or site visited machines to send files. Anyway, it is something to consider for your high risk customers.
Those are the highlights and my interpretation of the new guidance. Feel free to agree or disagree when we make new recommendations the next time we do an e-banking review for your financial institution.
