© grant thornton llp. all rights reserved. 2011 ffiec authentication guidance association of credit...

© Grant Thornton LLP. All rights reserved.

2011 FFIEC Authentication Guidance

Association of Credit Union Internal Auditors2012 Region 6 Conference September 27, 2012

Matt Thompson, Managing Director Chris Huffman, Manager


Agenda

• Introductions• Progression of FFIEC Authentication Guidance• 2011 Guidance• Changes in the Marketplace• What does the Guidance not Address?• Recommended Next Steps• Q/A• Appendix


IntroductionsMatt Thompson

• Managing Director in Grant Thornton’s Southeast Business Advisory Services Practice, based in Raleigh, NC

• Over 17 years experience working in IT Audit and Cyber Security

• Certified Information Systems Auditor (CISA)

• Certified in Risk and Information Systems Control (CRISC)

• PCI-DSS Qualified Security Assessor (QSA)

• Held a General Securities Representative Series 7 license

• Member of the Triad (NC) IIA Board of Governors

• A leader of the Southeast Cyber Security, IT Internal Audit, and IT External Audit practices, along with the National Cyber Security solution group

• Recognized speaker at IIA, ISACA, and NACHA conferences / events including the IIA GAM & All Star Conferences


IntroductionsChris Huffman

• Manager in Grant Thornton's Business Advisory Practice, based in Charlotte, NC

• Over 5 years experience working in IT Internal Audit• Certified Information Systems Auditor (CISA)• Master's Degree in Accounting and Information Systems• Extensive experience with financial institution's internal audit

programs• Regional and National Trainer for Grant Thornton's Business

Advisory Practice• Member of the Charlotte (NC) IIA Chapter


IntroductionsDilbert Wisdom


Agenda



Progression of FFIEC Authentication Guidance2001 Guidance

• Laid groundwork for future guidance– Defined acceptable authentication techniques– Suggested integration of e-banking into the

overall risk assessment


Progression of FFIEC Authentication Guidance2005 Guidance

• Updated the 2001 guidance to address new technologies and risk– Defined transactions that should require multifactor

authentication– Addressed the need for risk based assessments– Customer awareness programs


Agenda



2011 GuidanceGroup Check

• What has your Credit Union done to address the guidance?

• What changes to the guidance will affect your Credit Union most?

• Have you performed an Internal Audit of your Credit Union's adoption of the 2011 Guidance?


2011 GuidanceOverview

• Regulators and examiners have been considering the issue of increased banking fraud and provided updated guidance in June 2011

• Regulatory scrutiny in the area has increased and institutions should carefully examine their Internet Banking to determine if they are going to need to increase the security of high-risk transactions

• Recent June 2011 guidance will be used by examiners beginning in 2012


2011 GuidanceJustification for Latest Guidance

• Internet banking fraud risks are increasing, significantly growing in 2009 and 2010

• Resulting lawsuits from account takeovers in business accounts have left liability questions related to UCC 4a unclear


2011 GuidanceJustification for Latest Guidance (cont'd)

• The regulatory environment– Prior (2005) guidance focused on authentication. The

guidance specifically instructed institutions to implement authentication that is stronger than single factor

– Many Financial Institutions implemented device recognition with challenge questions to comply


2011 GuidanceOverview of Guidance

• Risk Assessments– Differentiation between retail and business transaction

risk• "Agencies recommended that institutions offer multifactor

authentication to their business customers"

– Continued focus on Risk Assessment– Continued, increased emphasis on Layered Security

Programs


2011 GuidanceOverview of Guidance (cont'd)

• Layered Security– Fraud detection and monitoring systems– Include consideration of customer history and behavior

and enable a timely and effective institution response– Dual customer authorization through different access

devices– Out-of-band verification for transactions



• Layered Security– Use of "positive pay," debit blocks and other techniques

to appropriately limit the transactional use of the account– Enhanced controls over account activities

• Transaction value thresholds• Payment recipients• Number of transactions allowed per day• Allowable payment windows (e.g. days)



• Layered Security– Internet Protocol (IP) reputation-based tools– Policies and practices for addressing customer devices

identified as potentially compromised and customers who may be facilitating fraud

– Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels



• Layered Security– Enhanced customer education to increase awareness of

the fraud risk and effective techniques customers can use to mitigate the risk



• Multifactor Authentication– Can be implemented with physical tokens or "soft

tokens"– Relies on public key encryption to generate one-time

passcodes that are time sensitive– Relatively effective control, susceptible to "man-in-

browser" malware bypass• Not to be used alone with high risk transactions



• Out of Band Authentication– Involves confirmation using a channel other than the

browser• SMS text message• Voice phone call



• Out of Band Authentication– Most effective when:

• Performed at the transaction level• Includes transaction details• Requests a positive affirmation (such as a PIN code) to proceed

with the transaction

– This is emerging technology is quickly gaining industry traction for high risk transactions



• Securing the Browser– Generally offered as an "opt-in" offering to business

customers– Can be deployed easily as a "bolt-on" to existing Internet

Banking environments



• Securing the Browser– Provides software that:

• Creates a client-to-server encrypted tunnel• Prevents keylogers and other malware from operating• May provide an encryption key for additional authentication



• Securing the Browser– Can be deployed in two ways:

• Software only (e.g. Trusteer Rapport), using a downloadable program for client use

• Bundled with a USB hardware token (e.g. Iron Key), using a secured browser in a virtual operating system.



• Monitoring Transactions– Regulators very clearly indicated these controls can be

automated or manual– Technology solutions focus on identifying unusual

patterns, payees, times of day, or other indicators of risk– The solutions will escalate those "high risk" transactions

for follow-up and manual validation



• Monitoring Transactions– To be effective:

• Implement technology along with an overall anti-fraud or other program

• When possible, select and implement solutions that examine transactions from multiple channels



• Enhanced Customer Awareness and Agreements– Traditional controls designed to limit fraud risk can be re-

visited• Credit limits• Customer agreements

– Thresholds for volume or dollar limits defined and enforced by the system

– Responsibility for implement and maintaining controls (consider UCC 4a)



• Transaction Limits– Limiting transactions by frequency on a daily,

weekly or monthly basis– Limiting transactions by dollar volume



• Device Identification– Generally offered as a cloud-hosted service– Identifies the transaction's source using large databases

across a variety of industries then assigns a transaction risk score• Banking• Gambling• Large retailers



• Device Identification– To be effective:

• Requires configuration to assign specific actions (block, escalate for follow up, permit) to risk scores

• Requires a consideration of customers (e.g. likelihood of international travel)

• Requires significant scale and source data from the vendor (e.g. Lovation, Kount)


Agenda



Changes in the Marketplace

• Trends in Credit Union Access Methods• Authentication Techniques (Survey Results)• 2011 Guidance Adoption by Financial Institutions


Changes in the MarketplaceTrends in Credit Union Access Methods

Source: ISACA


Changes in the MarketplaceAuthentication Techniques Survey Results by Financial Institutions

Source: ISACA


Changes in the Marketplace2011 Guidance Adoption by Financial Institutions

• Financial Organization Readiness– Risk Assessment: 89% of respondents have

implemented risk based assessments for all channels– Authentication Techniques: 56% of respondents have

improved methods for authenticating – Customer Awareness Program: 43% of respondents

have implemented a new customer awareness program– Layered Security: 43% of respondents have

implemented layered security techniques

Source: iSMG, 2012 Faces of Fraud Survey


Changes in the Marketplace2011 Guidance Adoption by Financial Institutions (cont'd)

• What Technologies are Financial Institutions Using for Compliance?– Enhanced customer education: 61%– Fraud detection and monitoring: 61%– Out of band verification: 35%– Device identification technologies: 32%– Controls over account maintenance: 32%– IP reputation based tools: 21%

Source: iSMG, 2012 Faces of Fraud Survey


Agenda

• Introductions• Progression of FFIEC Authentication Guidance• 2011 Guidance• Changes in the Marketplace• Not Addressed in the Guidance• Recommended Next Steps• Q/A• Appendix


Not Addressed in the GuidanceMobile Banking


Not Addressed in the GuidanceMobile Banking (cont'd)

• Industry Best Practices– Encrypt transmission of data – Time-out functionality– Ability to disable phone from web console– Only A2A transfers– Inability to setup up new bill payees with mobile

device


Agenda



Recommended Next Steps

1. Determine the current compliance status of your Credit Union.

2. Review your Credit Union's Risk Assessment, known issues, and compliance timeline to ensure appropriate (e.g., perform a design of controls review).

3. Test the operating effectiveness of key controls related to your Credit Union's compliance with the 2011 FFIEC Authentication Guidance.


Agenda



Q&A


Agenda



Appendix2005 / 2011 Guidance Comparison

2005 Guidance 2011 GuidancePurpose •Risk-based assessments

•Evaluate customer awareness programs

•Develop security measures

• Combat increased fraud• Reinforce guidance risk

management framework and period risk assessments

• Set min control expectations• Identifies min elements

required in a customer awareness program

Risk Assessment

•Start with assessment of risk•Authentication process should be consistent with firm's security

•Ongoing process to review authentication technology

• Reiterate/stress need for periodic risk assessments

• Review and update existing assessments as new technology becomes available


Appendix2005 / 2011 Guidance Comparison (cont'd)

2005 Guidance 2011 GuidanceCustomer Authentication for High-Risk Transactions

• Distinguishes between types of customers (Retail/Consumer is lower level, Business/Commercial is higher level risk)

Layered Security Programs

•USB Tokens to be user friendly•Smart cards - hard to duplicate and are tamper resistant

•Password generating tokens are time-sensitive, synchronized

•Biometrics/facial recognition•Non-hardware-based one-time-password scratch card

• Detection monitoring systems• Dual customer authorization• Out-of-band verification• "Positive-pay"• Controls over account and

change-to-account activity• IP reputation-based tools• Customer education



2005 Guidance 2011 GuidanceLayered Security Programs(cont'd)

•Out-of-band authentication• IPA location and Geo-location software

•Mutual authentication

Other Authentication Techniques

•Shared secrets – information elements known only by the customer and authenticator

•Simple challenge questions and images

• Initial enrollment process or via an offline ancillary process

•Requirement of periodic change

• Device identification through PC-installed cookie

• Sophisticated "one-time" cookies to contest fraudster

• Sophisticated, "out-of-wallet" or "red-herring" questions



2005 Guidance 2011 GuidanceCustomer Verification

•Positive verification•Logical verification•Negative verification•Third party to verify the identity of the applicant

Monitoring and Reporting

•Audit logs•Report suspicious activities•Establish transaction dollar limit•Reporting mechanisms with timely removal/suspension of user account access.

•Review System Admins actions



2005 Guidance 2011 GuidanceCustomer Awareness and Education

•Key in defense against fraud •Efforts should address retail and commercial account holders

•Explain protections provided•Circumstances warranting an institution contacting a client and by what means

•Commercial online banking customers perform a related risk assessment

•Listing of alternative control mechanisms and institutional contacts


In accordance with certain professional standards, we inform you that this document supports Grant Thornton LLP’s marketing of professional services and is not written tax, accounting or other advice directed at the particular facts and circumstances of any person. We encourage you to discuss with us, or an independent tax advisor, legal counsel or other advisors the potential application of this document to your particular situation.

Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax treatment or tax structure of any matter addressed herein. To the extent this document may be considered to contain written tax advice, any written advice contained in, forwarded with or attached to this document is not intended by Grant Thornton to be used, and cannot be used, by any person for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.

This document is the work of Grant Thornton LLP, the U.S. member firm of Grant Thornton International, and is in all respects subject to negotiation, agreement and signing of specific contracts. The information contained within this document is intended only for the entity or person to which it is addressed and contains confidential and/or privileged material. Dissemination to third parties, copying or use of this information is strictly prohibited without the prior consent of Grant Thornton LLP.

www.GrantThornton.com

© Grant Thornton LLPUS member of Grant Thornton International LtdAll rights reserved

© grant thornton llp. all rights reserved. 2011 ffiec authentication guidance association of credit...

Documents

guidance changes

grant thornton llp

future guidance

guidance group check

guidance laid groundwork

guidance overview regulators

manager slide

steps qa appendix slide