Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

May 04, 2015


Keeping Up with the Criminals: Improving Customer Authentication

The interesting thing about authenticating customers for checks and PIN-based debit transactions is that the customer's authentication credentials are within the transaction media themselves—a signature, a PIN. But for the rest of the transaction types, authentication is more difficult. The payments industry has responded to this challenge in a few different ways, and may be turning increasingly to the use of biometrics—that is, the use of physical and behavioral characteristics to validate a person's identity.

Improving customer authentication in the payments industry has been a focal point for the Retail Payments Risk Forum since its formation. After all, authenticating the parties in a payment transaction efficiently and with a high level of confidence is critical to the ongoing safety and soundness of the U.S. payments system. We have intensified our focus over the last two years, including holding a forum on the topic in mid-2013. The Forum has also just released a working paper that explores the challenges and potential solutions of customer authentication.

The working paper examines the evolution of customer authentication methods from the early days of identifying someone visually to the present environment of using biometrics. The paper reviews each method regarding its process, advantages and disadvantages, and applicability to the payments environment.

Much of the paper looks at biometrics, an authentication method that has received increased attention over the last year—partly because smartphones keep getting smarter as folks keep adding new applications, and as manufacturers keep improving microphones, cameras, accelerometers, touch sensors, and more.

The table lays out six key characteristics that we can use to evaluate a biometric system for a particular application.

New_characteristics_table

The use of biometrics will be the subject of an upcoming forum hosted by the Retail Payments Research Forum later this fall, so stay tuned as we finalize the date and agenda. In the meantime, if you have any comments or questions about the working paper, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 4, 2015 in authentication, biometrics, emerging payments, innovation, mobile banking, mobile payments, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d10cb742970c

Listed below are links to blogs that reference Keeping Up with the Criminals: Improving Customer Authentication:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 27, 2015


Not Seeing a Tree for the Forest

For this blog's title, I confess to having pineapple-upside-down-caked the common adage "missing the forest for the trees." The thing is, I want to point to a particularly nice tree in the same day ACH (automated clearinghouse) forest. By torturing the adage I hope to inspire folks to deviate from the basic, same day forest flyover and focus on one tree. It seems to me it has not gotten all the attention due.

Those advocating for same day ACH generally tout the increased functionality or the economic benefits of the latest proposal. Another oft-mentioned benefit of the proposed rule change is that it may provide a bridge from today's payments to those of the future. However, tucked into the lush same day ACH forest is a hard-to-find risk abatement species. Allow me to point out some of its features.

Settlement—By reducing the settlement window, same day ACH reduces credit risk associated with the network ecosystem—both in terms of the length of time counterparties are exposed to settlement risk and, potentially, the total amounts of settlement risk. For sure, financial institutions will have more flexibility to better manage these circumstances.

Operations—Same day ACH provides additional processing windows that result in risk reduction opportunities. Operations managers gain the means to load balance or smooth processing volumes and may also be able to ease the pressure on deadlines. The additional processing windows can be thought of as de facto contingency alternatives and seem likely to yield a corresponding increase in reliability and quality for the ACH.

Returns—Expedited settlement means expedited return handling. same day ACH would provide the opportunity for receiving banks to return same day payments on that same day. Moreover, because return requirements are tied to settlement, any same day payment that needs to be returned to an originating bank will be received one banking day earlier than would have occurred without same day settlement. NACHA points out that exceptions may be identified sooner and returned sooner, which means resolution for more problems may begin sooner. They have described this as "a 'win-win' for all parties." It's hard to argue the point.

If it passes, same day ACH will improve the risk posture of financial institutions, benefiting both ACH payers and payees. As spring continues to unfurl, perhaps some of you will get to stroll through the woods. If you come across a particularly handsome dogwood or perhaps an eastern redbud, be reminded that the same day ACH ballot will pop later this spring. I'm keeping my fingers crossed that the woodsmen don't get to clear cut the forest this time and we don't lose any of the nice trees.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed


April 27, 2015 in ACH, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c7809190970b

Listed below are links to blogs that reference Not Seeing a Tree for the Forest:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 06, 2015


What Can Parenting Teach Us about Data Security?

My older child often asks if he can play at his friend's Mac's house. If his homework is completed, my wife and I will give him the green light, as we are comfortable with where he is heading. This level of comfort comes from our due diligence of getting to know Mac's parents and even the different sitters who watch the children when Mac's parents might be working late. Things often get more challenging when he calls to tell us that he and Mac want to go to another friend's house. And this might not be the last request as our son might end up at yet another friend's house before finding his way home for dinner. We might not be familiar with these other environments beyond Mac's house so we often have to rely on other parents' or sitters' judgment and due diligence when deciding whether or not it is okay for our son to go. Regardless of under whose supervision he falls, we, as his parents, are ultimately responsible for his well-being and want to know where he is and who he is with.

As I think about my responsibility in protecting my children in their many different environments, I realize that parenting is an excellent metaphor for vendor risk management and data security. For financial institutions (FI), it is highly likely that they are intimately familiar with their core banking service providers. For merchants, the same can probably be said for their merchant acquiring relationship.

However, what about the relationships these direct vendors have with other third parties that could access your customers' valuable data? While it probably isn't feasible for FIs and merchants to be intimately familiar with the potentially hundreds of parties that have access to their information, they should be familiar with the policies and procedures and due diligence processes of their direct vendors as it relates to their vendor management programs.

In today's ever-connected world, with literally thousands of third-party solution providers, it is necessary for FIs and merchants to be familiar with who all has access to their customers' data and with the different places this data resides. Knowing this information, it is then important to assess whether or not you are comfortable with the entity you are entrusting with your customers' data. Just as I am responsible for ensuring my children's safety no matter where or who they are with, financial institutions and merchants are ultimately responsible for protecting their customers' data. This difficult endeavor should not be taken lightly. Beyond the financial risks of fraud losses associated with stolen or lost data, businesses might also be subject to compliance-related fines. And you are highly likely to take a negative hit to your reputation. What are you doing to ensure various third-parties are protecting your sensitive data?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


April 6, 2015 in consumer protection, data security, KYC, risk management, third-party service provider | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d0fabc79970c

Listed below are links to blogs that reference What Can Parenting Teach Us about Data Security?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 30, 2015


Safely Motoring the Payments Highway

I've ridden a motorcycle for 30-plus years and, except for a slight bump from behind by a car when I was stopped at a four-way stop sign, I have a perfect safety record. Some say I'm lucky. While there is probably some element of truth to that—I've made it through a number of dangerous situations over the years—I believe my good safety record is largely because early on in my riding days, I invested in proper safety clothing and took classes in motorcycle riding skills and safety. In addition, when I've been out on the road, risk management has played an integral role in my safety: I follow the Motorcycle Safety Foundation's recommended practice of S-I-P-D-E: scan, identify, predict, decide, and execute.

I recently took advantage of an early spring day and rode the North Georgia back roads. Later that evening, when I thought back over my day, I couldn't help but think of the parallel between motorcycling risk management and payments risk management. To maintain a good safety record in both, you should practice SIPDE. Here's how SIPDE can work with payments.

Scan: Constantly examine the environment you are in. Don't focus on a particular payment method or channel or you will get target fixation and be likely to miss threats to other payment types. How often have we heard that while resources were focused on responding to a distributed denial of service attack, the criminals took advantage of the distraction and executed some unauthorized transactions? When riding, I try to always be alert and I constantly move my sight lines to spot any dangers.

Identify: As you conduct your examination, identify all potential risks. Some may be immediately apparent, and some may be hidden. Some may be major threats, and others less serious. While most of the criminal threats will come from external elements, don't forget about insider fraud.

Predict: After you have identified the risks, run through scenarios as to potential outcomes given a variety of circumstances. I sometimes change my lane position to increase my visibility and always cover the brake lever to prepare for that emergency stop. You must certainly consider the worst-case scenario, but don't forget that an accumulation of less-severe situations may result in a loss that is just as big.

Decide: After weighing all the options and the likelihood of their panning out, determine your course of action so that you're ready if one of the scenarios becomes a reality. Reaction time is critical with motorcycle riding and dealing with criminal attacks.

Execute: Put into motion that course of action to deal with the risk. This is where your training, skills, and tools come into play, helping you to properly and completely execute your plan.

Just as when I ride and the environmental factors and potential threats around me are constantly changing, such is the case in our payments environment. We must constantly use our S-I-P-D-E skills to assess and react to the environment, whether that's the road you're riding on or the payments environment you're operating in.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


March 30, 2015 in consumer protection, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c76eabf3970b

Listed below are links to blogs that reference Safely Motoring the Payments Highway:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 16, 2014


Banking on the Financial Institutions as Gatekeepers

With all the changes and new participants in the payment industry, financial institutions remain the participants in the best position to know their customers. They still play a central role in transactions, so laws, regulations, and rules view them as gatekeepers, best able to protect consumers from unauthorized payments and fraudulent business practices. This gatekeeper role has never been simple, but the increase in the number and type of businesses conducting transactions over the internet and mobile devices has added to its complexity and difficulty. Complicating the gatekeeper role further is the increasing number of intermediaries involved in the payments stream.

Over the years, regulators have issued guidance to institutions highlighting issues related to high-risk businesses and service providers. In the fourth quarter of 2013, both the Office of the Comptroller of the Currency and the Federal Reserve Board issued guidance on third-party risk management for financial institutions. The new guidance highlights the growing importance of managing relationships with payment participants and makes it clear that institutions have to focus on managing customer relationships, which starts at onboarding.

Regulatory pressure is one approach to keeping the payments system safe, and so is the pressure that law enforcement agencies put on financial institutions. A recent example includes the crackdown of the New York Department of Financial Services on unlawful payday lending practices.

Payments system rules are also effective in keeping financial institutions focused on indicators of the fraudulent use of a payment type. For instance, NACHA Operating Rules include a provision that says an institution is out of compliance if its businesses have a return rate for unauthorized transactions over 1 percent. (A previous post addressed proposed enhancements to the NACHA Operating Rules to address additional indicators of fraud.)

An even stronger type of pressure exerted on financial institutions is when an agency bans a payment type entirely or restricts its usage. For instance, the Federal Trade Commission issued a proposal last year to ban the use of remotely created checks by telemarketers. If a payment type is banned, the financial institution's role is to enforce the ban with its business clients.

The emphasis on the financial institution's gatekeeper role underscores the continued importance of protecting consumers from fraudulent payment practices. It also highlights the fact that this role is not an easy one and brings with it certain risks and costs.

Photo of Deborah Shaw

June 16, 2014 in banks and banking, regulations, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dd9fb1b970d

Listed below are links to blogs that reference Banking on the Financial Institutions as Gatekeepers:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 19, 2014


Choking on the Cost of Risk Management

In March 2013, the Department of Justice (DOJ), joined by the Federal Deposit Insurance Corporation (FDIC) and the Consumer Financial Protection Bureau (CFPB), quietly launched the program “Operation Choke Point.” The program’s objective is to cut off fraudsters’ access to consumer bank accounts by restricting—or choking off—their access to the banking system. Normally the fraudsters would be the only ones complaining about officials trying to shut down their business, but this program is also creating new risk management challenges for the banking industry.

While critics of the program readily admit that criminal activities should be fully investigated and prosecuted, they contend that the program has imposed a wider, “chilling,” effect on financial institutions and their third-party payment processors. A number of financial institutions have said that the operational, compliance, and risk costs associated with the increased scrutiny outweigh the benefits of such high-risk but legal business account relationships and can result in their termination.

The agencies defend their actions, stating that the “know-your-customer” and “know-your customer’s customers” requirements have been in place for some time. They say they are targeting only processors and financial institutions that are blatantly exchanging these requirements for due diligence and compliance with the Bank Secrecy Act (BSA) for a sizable fee revenue opportunity.

By September 2013, the DOJ had issued 50 subpoenas to financial institutions and their processors citing the BSA’s requirements for a financial institution to monitor the activities of its customers and its customer’s customers for suspicious activity. In its first enforcement action of the program, in early 2014, the DOJ entered into an agreement with a holding company of a North Carolina community bank for $1.2 million in civil penalties and with certain restrictions with regards to its future processor relationships. The DOJ alleged that the holding company’s management knowingly ignored numerous warning signs that some of its processing customers had clients engaged in illegal business practices, including internet-based payday lending, gambling, and even Ponzi schemes, all to generate large amounts of account service charges and fees. A U.S. District Court judge approved the agreement on April 25 this year. However, the bank didn’t admit to anything in the DOJ complaint nor to any liability.

To help financial institutions better deal with the risk management requirements that Operation Choke Point highlights, a number of associations have developed materials or issued guidelines. An earlier Portals and Rails post discussed the reminders from NACHA on the know-your-customer’s-customer rules and the proposed rules about return item limits that could potentially signal fraudulent or deceptive practices. The Electronic Transactions Association (ETA) has recently published a best-practices guide for processor relationship onboarding and continued oversight. This document, “Guidelines on Merchant and ISO Underwriting and Risk Monitoring,” is available to ETA members only, but the organization has given us permission to make the guide’s executive summary available.

Portals and Rails is interested in your thoughts on Operation Choke Point and the response by some banks, and we pose this question: Are banks properly pricing their services to the business that requires such intense risk management measures?

Photo of Deborah ShawBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


May 19, 2014 in banks and banking, law enforcement, regulations, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dc5354c970d

Listed below are links to blogs that reference Choking on the Cost of Risk Management:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 30, 2013


Securing All the Links in the Chain: Third-Party Payment Processors

Consumers may not know when a payment transaction involves more than the merchant who they buy from and the bank that has the debited account. They have no reason to know that there are often other "links" in the payment processing "chain." One such link is the third-party payment processor (processor).

The processor works between the business and the bank, providing payments services to the business while serving as a connection point to the banking system. The processor facilitates automated clearing house, or ACH, payments; credit, debit, and prepaid card payments; and remotely created check payments.

Banks that have processors as their customers must be careful to minimize the risk associated with adding another link to the payments process. Central to this risk mitigation is for the bank to conduct due diligence, including "know your customer" (KYC)—in this case, the processor—and also "know your customer's customer" (KYCC)—in this case, the businesses on whose behalf the processor is transmitting payments. Regulators, including the Federal Deposit Insurance Corporation and the Office of Comptroller of the Currency, have published and updated guidance emphasizing the essential importance of banks' risk-based management of their processor relationships.

Bank risk mitigation includes taking steps at the time of onboarding new processors as well as on an ongoing basis to monitor for any problems related to changes in those relationships. Recommended practices during onboarding include verifying the legitimacy of the business by visiting the processor's office and reviewing marketing materials and websites. It is essential that the bank understand the business lines that the processor's customers support and be aware of any payments-related concerns. For example, processors should provide the bank information on any law enforcement actions and consumer complaints related to its customers.

A bank's ongoing monitoring should include knowing about changes with either the processor or its business customers. Requiring the processor to inform the bank of new customers or business lines is one way to identify developments that require further study. Banks should also require processors to report any changes in the nature of consumer complaints, particularly if they include claims of unfair and deceptive practices that a business customer may have used. Monitoring for warning signs of potential fraud can be aided by receiving reports from the processor on its return rates and those of its business clients. High return rates for certain reasons, such as unauthorized or insufficient funds, should be investigated for the underlying cause and then addressed with the processor.

Furthermore, banks are advised to keep their board members aware of processor relationships by providing periodic reporting on transaction volumes, return rates, and types of businesses served.

Banks that focus on securing the processor link in payments transactions will mitigate their risk, support the payment efficiencies that processors bring to their merchant clients, and protect the payments system for the benefit of consumers.

We would like to hear what processes your institution has in place to monitor processors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 30, 2013 in banks and banking, consumer protection, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019affb14827970d

Listed below are links to blogs that reference Securing All the Links in the Chain: Third-Party Payment Processors:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 06, 2013


Staying One Step Ahead of ATM Attacks

Ever since the first ATMs were installed in the United States more than 40 years ago, criminals have used a variety of methods to steal money, through either physical or virtual attacks on machines or customers. The early ATMs were installed primarily through the exterior wall of bank branches, so they were generally as secure as the building's cash vault. Consequently, the attacks generally took the form of robbing customers using or employees servicing an ATM.

The industry reacted, with some state regulatory nudging, with camera surveillance, improved lighting and visibility, privacy screens, drive-up reconfigurations, and customer safety education programs. When less-armored, freestanding cash dispensers began to appear in retail locations, criminals turned to trying to pull the entire ATM out from its floor or wall anchors and then cracking it open at a remote location.

As criminals grew more sophisticated, they turned their attention from such aggressive physical attacks to stealthier ones. In one such activity, referred to as "skimming," they place false card readers over the real ones to capture the data on the cards' magnetic stripe so they can create a counterfeit card. The criminals may generally also install a pinhole camera positioned to capture the customers entering their PINs on the keypad. Card skimming has become a major problem for the card payments industry overall and has been an impetus for the migration to chip cards throughout the world and finally in the U.S.

Some recent efforts to attack ATMs have involved gaining unauthorized access to the applications controlling ATM transaction authorizations. In an incident in Oman that took place earlier this year, cyberthieves established real-time access to the authorization files on a foreign bank's prepaid card application system and changed the balance available for withdrawals. They also continually reset the daily usage counters. Using a large gang of money mules with counterfeit cards and the PIN to access the prepaid account, the criminals conducted a coordinated attack, making continuous cash withdrawals at numerous foreign ATMs until the cash supply at all the ATMs was exhausted. This gang netted the equivalent of almost US$39 million—yes, that's not a typo, it was $39 million.

It now appears there is a trend, at least in Europe, of criminals resorting to physical attacks on the ATMs again. Gangs have been injecting explosive liquids and gases into ATMs, then igniting them to blast open the ATM vault to gain access to the currency cassettes. I believe it is only a matter of time before such attacks are initiated here in the United States.

These activities emphasize that criminal attacks against our payments system will continue to take different forms and target all payment channels. In a comprehensive risk management plan, stakeholders must always anticipate the next type of attack and take the necessary and prudent preventive measures. Sometimes we are lulled into a sense of complacency with mature payment channels and focus all our efforts on the emerging channels or payment products. How long has it been since you have done a risk evaluation on your ATM delivery channel?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 6, 2013 in ATM fraud, crime, identity theft, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017eeadcbd0a970d

Listed below are links to blogs that reference Staying One Step Ahead of ATM Attacks:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 01, 2012


Summer Is Gone, but ACH Fraud Remains

As the official summer came to an end this past Saturday, there was a noticeable change in the Atlanta weather that this runner was thrilled to greet. The heat and humidity of the past three months was replaced by cool and much drier air. Much like weather that changes with the seasons, the payments industry is continually evolving. Looking back through payments news over the summer, the industry experienced some shifts, most notably around mobile payments and digital wallets. However, at least one constant in payments grabbed the headlines yet again—a payments scam that could eventually lead to payments fraud.

In late June and early July, news broke of a scam that claimed President Obama or the federal government would help consumers pay their bills. In exchange for providing the scammers with personal data, such as social security number and bank routing and account numbers, consumers were given routing and account numbers to use to pay their bills. Interestingly, this scam went viral not because of scammers' actions, but through social media outlets as consumers caught up in the scam spread the word about “free money.” The routing numbers used in the scam actually turned out to be legitimate routing numbers of financial institutions—but the account numbers were invalid.

Ultimately, this scam negatively affected all involved: consumers, billers, originating depository financial institutions (ODFIs), and receiving depository financial institutions (RDFIs). Consumers' bills went unpaid, and some were saddled with late fees by their billers who had not received payments on time. ODFIs and RDFIs were left with thousands of returned items. Deborah Shaw, a managing director with NACHA, recently shared with us at the forum several procedures and policies for both ODFIs and RDFIs to consider in light of this scam:

  • ODFIs should review files for unusual patterns such as a high number of repeated routing and account number combinations.
  • ODFIs need to educate their business customers on the importance of communicating to consumers that ACH debit payments can be returned.
  • RDFIs should not delay the processing of returns, especially when there is a high volume of them. For most ACH debits, NACHA has a two-day deadline for returning the item back to the ODFI if the RDFI wants to use the ACH system for the return.
  • RDFIs must implement a methodology of monitoring returns so they can detect developing patterns.
  • RDFIs should develop a contingency plan for return volumes that significantly exceed their normal return volumes.

In addition to Deborah's suggestion, we believe that RDFIs should evaluate their systems to ensure that they can handle larger-than-normal return volumes. A large number of RDFIs still rely on manually keying returns; we suggest that these institutions consider developing an automated return process in light of these emerging risks. Further, RDFIs need to ensure that they are well-capitalized or able to access funds should they face a large debit from high return volumes and are unable to quickly return the items.

The seasons will continue to change and blow in new weather, the payments industry will continue to progress, and fraud will without a doubt continue to find its way into the ACH system. And while this fraud will evolve alongside the evolving payments industry, financial institutions can take steps to mitigate the business and financial impact of fraud by proactively instituting policies and procedures to quickly identify and return fraudulent transactions.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 1, 2012 in ACH, consumer fraud, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c32410708970b

Listed below are links to blogs that reference Summer Is Gone, but ACH Fraud Remains:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 16, 2012


Online and mobile banking create many front doors

"The vulnerability is the front door of the bank." I've heard that quote many times over the years. With online banking continuing to grow, and mobile being the latest channel to access bank accounts and services, the bank suddenly has many more "doors" to worry about.

An August 2011 Consumer Trends Survey by Fiserv shows that 79 million households use online banking, and businesses are following suit. With this kind of competitive environment, most banks must offer online or even mobile banking to stay relevant. As banks strive to remain relevant, they must also stay safe.

The Federal Financial Institutions Examination Council (FFIEC) published the timely Supplement to Authentication in an Internet Banking Environment in June 2011 to address electronic banking security. As financial institutions enter the mobile banking world, the FFIEC's guidance helps banks to protect against risk in electronic access channels. NACHA also recently reviewed its existing policies and operating rules to ensure it has similar helpful guidance for financial institutions originating ACH transactions in this increasingly connected environment.

Whether it's FFIEC guidance or NACHA rules, these five sound business practices can go a long way toward safe electronic banking, whether through the Internet or mobile channel.

Customer Awareness and Education is ongoing, and one-time notices are not as effective as repeated messages on specific security concerns. Describe potential threats in language understood by the average consumer and business. Consider requiring business customers to perform risk assessments around online banking access and practices.

Layered Security Programs include the practice of tailoring different security tools to the type of account and activity and establishing appropriate controls over account activities based on typical account use patterns. Stay up to date on new layered security technologies and regulatory requirements.

Effectiveness of Authentication Techniques—not all techniques are equally effective. Use complex device authentication methods. Change those methods as technology changes. And establish challenge questions that have answers not readily available on the Internet or through social media sites. Incorporate "red herring" questions into the challenge questions, and use different challenge questions in different sessions.

Customer Authentication for High-Risk Transactions applies to both consumer and business accounts. Monitor accounts for unusual and out-of-pattern transactions on a regular basis. Establish procedures to do something when out-of-pattern transactions are detected.

Risk Assessments and "know your customer" are basic concepts that apply to both consumer and business banking products. Assess threat and risk-related information regularly. Identify types of changes that trigger additional assessments. "One and done" doesn't keep pace in this fast-moving environment. Review experiences with incidents and learn from them. And develop response teams and playbooks to respond quickly to threats or incidents that require immediate action.

With Internet and now mobile banking growing by leaps and bounds, the vulnerability is no longer just the front door of the bank. Following these sound business practices—and it's hard to argue against them—can help to secure all openings from dangers lurking in cyberspace.

Mary KeplerBy Mary Kepler, director of the Retail Payments Risk Forum at the Atlanta Fed

April 16, 2012 in banks and banking, mobile banking, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168ea343547970c

Listed below are links to blogs that reference Online and mobile banking create many front doors:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


May 2015


Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Archives


Categories


Powered by TypePad