2011 ffiec authentication guidance association of … mattthompson - 2011...2011 ffiec...
TRANSCRIPT
© Grant Thornton LLP. All rights reserved.
2011 FFIEC Authentication Guidance
Association of Credit Union Internal Auditors
2012 Region 6 Conference
September 27, 2012
Matt Thompson, Managing Director
Chris Huffman, Manager
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions
• Progression of FFIEC Authentication Guidance
• 2011 Guidance
• Changes in the Marketplace
• What does the Guidance not Address?
• Recommended Next Steps
• Q/A
• Appendix
© Grant Thornton LLP. All rights reserved.
Introductions
Matt Thompson
• Managing Director in Grant Thornton’s Southeast Business Advisory
Services Practice, based in Raleigh, NC
• Over 17 years experience working in IT Audit and Cyber Security
• Certified Information Systems Auditor (CISA)
• Certified in Risk and Information Systems Control (CRISC)
• PCI-DSS Qualified Security Assessor (QSA)
• Held a General Securities Representative Series 7 license
• Member of the Triad (NC) IIA Board of Governors
• A leader of the Southeast Cyber Security, IT Internal Audit, and IT
External Audit practices, along with the National Cyber Security
solution group
• Recognized speaker at IIA, ISACA, and NACHA conferences /
events including the IIA GAM & All Star Conferences
© Grant Thornton LLP. All rights reserved.
Introductions
Chris Huffman
• Manager in Grant Thornton's Business Advisory Practice, based in
Charlotte, NC
• Over 5 years experience working in IT Internal Audit
• Certified Information Systems Auditor (CISA)
• Master's Degree in Accounting and Information Systems
• Extensive experience with financial institution's internal audit
programs
• Regional and National Trainer for Grant Thornton's Business
Advisory Practice
• Member of the Charlotte (NC) IIA Chapter
© Grant Thornton LLP. All rights reserved.
Introductions
Dilbert Wisdom
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions
• Progression of FFIEC Authentication Guidance
• 2011 Guidance
• Changes in the Marketplace
• What does the Guidance not Address?
• Recommended Next Steps
• Q/A
• Appendix
© Grant Thornton LLP. All rights reserved.
Progression of FFIEC Authentication Guidance
2001 Guidance
• Laid groundwork for future guidance
– Defined acceptable authentication techniques
– Suggested integration of e-banking into the
overall risk assessment
© Grant Thornton LLP. All rights reserved.
Progression of FFIEC Authentication Guidance
2005 Guidance
• Updated the 2001 guidance to address new technologies
and risk
– Defined transactions that should require multifactor
authentication
– Addressed the need for risk based assessments
– Customer awareness programs
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions
• Progression of FFIEC Authentication Guidance
• 2011 Guidance
• Changes in the Marketplace
• What does the Guidance not Address?
• Recommended Next Steps
• Q/A
• Appendix
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Group Check
• What has your Credit Union done to address the
guidance?
• What changes to the guidance will affect your
Credit Union most?
• Have you performed an Internal Audit of your
Credit Union's adoption of the 2011 Guidance?
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview
• Regulators and examiners have been considering the issue
of increased banking fraud and provided updated guidance
in June 2011
• Regulatory scrutiny in the area has increased and
institutions should carefully examine their Internet Banking
to determine if they are going to need to increase the
security of high-risk transactions
• Recent June 2011 guidance will be used by examiners
beginning in 2012
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Justification for Latest Guidance
• Internet banking fraud risks are increasing,
significantly growing in 2009 and 2010
• Resulting lawsuits from account takeovers in
business accounts have left liability questions
related to UCC 4a unclear
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Justification for Latest Guidance (cont'd)
• The regulatory environment
– Prior (2005) guidance focused on authentication. The
guidance specifically instructed institutions to implement
authentication that is stronger than single factor
– Many Financial Institutions implemented device
recognition with challenge questions to comply
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance
• Risk Assessments
– Differentiation between retail and business transaction
risk
• "Agencies recommended that institutions offer multifactor
authentication to their business customers"
– Continued focus on Risk Assessment
– Continued, increased emphasis on Layered Security
Programs
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Layered Security
– Fraud detection and monitoring systems
– Include consideration of customer history and behavior
and enable a timely and effective institution response
– Dual customer authorization through different access
devices
– Out-of-band verification for transactions
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Layered Security
– Use of "positive pay," debit blocks and other techniques
to appropriately limit the transactional use of the account
– Enhanced controls over account activities
• Transaction value thresholds
• Payment recipients
• Number of transactions allowed per day
• Allowable payment windows (e.g. days)
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Layered Security
– Internet Protocol (IP) reputation-based tools
– Policies and practices for addressing customer devices
identified as potentially compromised and customers
who may be facilitating fraud
– Enhanced control over changes to account maintenance
activities performed by customers either online or
through customer service channels
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Layered Security
– Enhanced customer education to increase awareness of
the fraud risk and effective techniques customers can
use to mitigate the risk
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Multifactor Authentication
– Can be implemented with physical tokens or "soft
tokens"
– Relies on public key encryption to generate one-time
passcodes that are time sensitive
– Relatively effective control, susceptible to "man-in-
browser" malware bypass
• Not to be used alone with high risk transactions
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Out of Band Authentication
– Involves confirmation using a channel other than the
browser
• SMS text message
• Voice phone call
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Out of Band Authentication
– Most effective when:
• Performed at the transaction level
• Includes transaction details
• Requests a positive affirmation (such as a PIN code) to proceed
with the transaction
– This is emerging technology is quickly gaining industry
traction for high risk transactions
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Securing the Browser
– Generally offered as an "opt-in" offering to business
customers
– Can be deployed easily as a "bolt-on" to existing Internet
Banking environments
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Securing the Browser
– Provides software that:
• Creates a client-to-server encrypted tunnel
• Prevents keylogers and other malware from operating
• May provide an encryption key for additional authentication
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Securing the Browser
– Can be deployed in two ways:
• Software only (e.g. Trusteer Rapport), using a downloadable
program for client use
• Bundled with a USB hardware token (e.g. Iron Key), using a
secured browser in a virtual operating system.
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Monitoring Transactions
– Regulators very clearly indicated these controls can be
automated or manual
– Technology solutions focus on identifying unusual
patterns, payees, times of day, or other indicators of risk
– The solutions will escalate those "high risk" transactions
for follow-up and manual validation
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Monitoring Transactions
– To be effective:
• Implement technology along with an overall anti-fraud or other
program
• When possible, select and implement solutions that examine
transactions from multiple channels
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Enhanced Customer Awareness and Agreements
– Traditional controls designed to limit fraud risk can be re-
visited
• Credit limits
• Customer agreements
– Thresholds for volume or dollar limits defined and enforced by the
system
– Responsibility for implement and maintaining controls (consider
UCC 4a)
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Transaction Limits
– Limiting transactions by frequency on a daily,
weekly or monthly basis
– Limiting transactions by dollar volume
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Device Identification
– Generally offered as a cloud-hosted service
– Identifies the transaction's source using large databases
across a variety of industries then assigns a transaction
risk score
• Banking
• Gambling
• Large retailers
© Grant Thornton LLP. All rights reserved.
2011 Guidance
Overview of Guidance (cont'd)
• Device Identification
– To be effective:
• Requires configuration to assign specific actions (block, escalate
for follow up, permit) to risk scores
• Requires a consideration of customers (e.g. likelihood of
international travel)
• Requires significant scale and source data from the vendor (e.g.
Lovation, Kount)
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions
• Progression of FFIEC Authentication Guidance
• 2011 Guidance
• Changes in the Marketplace
• What does the Guidance not Address?
• Recommended Next Steps
• Q/A
• Appendix
© Grant Thornton LLP. All rights reserved.
Changes in the Marketplace
• Trends in Credit Union Access Methods
• Authentication Techniques (Survey Results)
• 2011 Guidance Adoption by Financial Institutions
© Grant Thornton LLP. All rights reserved.
Changes in the Marketplace
Trends in Credit Union Access Methods
Source: ISACA
© Grant Thornton LLP. All rights reserved.
Changes in the Marketplace Authentication Techniques Survey Results by Financial Institutions
Source: ISACA
© Grant Thornton LLP. All rights reserved.
Changes in the Marketplace
2011 Guidance Adoption by Financial Institutions
• Financial Organization Readiness
– Risk Assessment: 89% of respondents have
implemented risk based assessments for all channels
– Authentication Techniques: 56% of respondents have
improved methods for authenticating
– Customer Awareness Program: 43% of respondents
have implemented a new customer awareness program
– Layered Security: 43% of respondents have
implemented layered security techniques
Source: iSMG, 2012
Faces of Fraud Survey
© Grant Thornton LLP. All rights reserved.
Changes in the Marketplace 2011 Guidance Adoption by Financial Institutions (cont'd)
• What Technologies are Financial Institutions Using
for Compliance?
– Enhanced customer education: 61%
– Fraud detection and monitoring: 61%
– Out of band verification: 35%
– Device identification technologies: 32%
– Controls over account maintenance: 32%
– IP reputation based tools: 21%
Source: iSMG, 2012
Faces of Fraud Survey
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions
• Progression of FFIEC Authentication Guidance
• 2011 Guidance
• Changes in the Marketplace
• Not Addressed in the Guidance
• Recommended Next Steps
• Q/A
• Appendix
© Grant Thornton LLP. All rights reserved.
Not Addressed in the Guidance
Mobile Banking
© Grant Thornton LLP. All rights reserved.
Not Addressed in the Guidance
Mobile Banking (cont'd)
• Industry Best Practices
– Encrypt transmission of data
– Time-out functionality
– Ability to disable phone from web console
– Only A2A transfers
– Inability to setup up new bill payees with mobile
device
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions
• Progression of FFIEC Authentication Guidance
• 2011 Guidance
• Changes in the Marketplace
• Not Addressed in the Guidance
• Recommended Next Steps
• Q/A
• Appendix
© Grant Thornton LLP. All rights reserved.
Recommended Next Steps
1. Determine the current compliance status of your Credit Union.
2. Review your Credit Union's Risk Assessment, known issues, and
compliance timeline to ensure appropriate (e.g., perform a design of
controls review).
3. Test the operating effectiveness of key controls related to your Credit
Union's compliance with the 2011 FFIEC Authentication Guidance.
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions
• Progression of FFIEC Authentication Guidance
• 2011 Guidance
• Changes in the Marketplace
• Not Addressed in the Guidance
• Recommended Next Steps
• Q/A
• Appendix
© Grant Thornton LLP. All rights reserved.
Q&A
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions
• Progression of FFIEC Authentication Guidance
• 2011 Guidance
• Changes in the Marketplace
• Not Addressed in the Guidance
• Recommended Next Steps
• Q/A
• Appendix
© Grant Thornton LLP. All rights reserved.
Appendix
2005 / 2011 Guidance Comparison
2005 Guidance 2011 Guidance
Purpose •Risk-based assessments
•Evaluate customer awareness
programs
•Develop security measures
• Combat increased fraud
• Reinforce guidance risk
management framework and
period risk assessments
• Set min control expectations
• Identifies min elements
required in a customer
awareness program
Risk
Assessment
•Start with assessment of risk
•Authentication process should
be consistent with firm's security
•Ongoing process to review
authentication technology
• Reiterate/stress need for
periodic risk assessments
• Review and update existing
assessments as new
technology becomes available
© Grant Thornton LLP. All rights reserved.
Appendix
2005 / 2011 Guidance Comparison (cont'd)
2005 Guidance 2011 Guidance
Customer
Authentication
for High-Risk
Transactions
• Distinguishes between types
of customers
(Retail/Consumer is lower
level, Business/Commercial is
higher level risk)
Layered
Security
Programs
•USB Tokens to be user friendly
•Smart cards - hard to duplicate
and are tamper resistant
•Password generating tokens are
time-sensitive, synchronized
•Biometrics/facial recognition
•Non-hardware-based one-time-
password scratch card
• Detection monitoring systems
• Dual customer authorization
• Out-of-band verification
• "Positive-pay"
• Controls over account and
change-to-account activity
• IP reputation-based tools
• Customer education
© Grant Thornton LLP. All rights reserved.
Appendix
2005 / 2011 Guidance Comparison (cont'd)
2005 Guidance 2011 Guidance
Layered
Security
Programs
(cont'd)
•Out-of-band authentication
• IPA location and Geo-location
software
•Mutual authentication
Other
Authentication
Techniques
•Shared secrets – information
elements known only by the
customer and authenticator
•Simple challenge questions and
images
• Initial enrollment process or via
an offline ancillary process
•Requirement of periodic change
• Device identification through
PC-installed cookie
• Sophisticated "one-time"
cookies to contest fraudster
• Sophisticated, "out-of-wallet"
or "red-herring" questions
© Grant Thornton LLP. All rights reserved.
Appendix
2005 / 2011 Guidance Comparison (cont'd)
2005 Guidance 2011 Guidance
Customer
Verification
•Positive verification
•Logical verification
•Negative verification
•Third party to verify the identity
of the applicant
Monitoring
and
Reporting
•Audit logs
•Report suspicious activities
•Establish transaction dollar limit
•Reporting mechanisms with
timely removal/suspension of
user account access.
•Review System Admins actions
© Grant Thornton LLP. All rights reserved.
Appendix
2005 / 2011 Guidance Comparison (cont'd)
2005 Guidance 2011 Guidance
Customer
Awareness
and
Education
•Key in defense against fraud •Efforts should address retail and
commercial account holders
•Explain protections provided
•Circumstances warranting an
institution contacting a client
and by what means
•Commercial online banking
customers perform a related risk
assessment
•Listing of alternative control
mechanisms and institutional
contacts
© Grant Thornton LLP. All rights reserved.
In accordance with certain professional standards, we inform you that this document supports Grant
Thornton LLP’s marketing of professional services and is not written tax, accounting or other advice
directed at the particular facts and circumstances of any person. We encourage you to discuss with
us, or an independent tax advisor, legal counsel or other advisors the potential application of this
document to your particular situation.
Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax
treatment or tax structure of any matter addressed herein. To the extent this document may be
considered to contain written tax advice, any written advice contained in, forwarded with or attached to
this document is not intended by Grant Thornton to be used, and cannot be used, by any person for the
purpose of avoiding penalties that may be imposed under the Internal Revenue Code.
This document is the work of Grant Thornton LLP, the U.S. member firm of Grant Thornton
International, and is in all respects subject to negotiation, agreement and signing of specific
contracts. The information contained within this document is intended only for the entity or
person to which it is addressed and contains confidential and/or privileged material.
Dissemination to third parties, copying or use of this information is strictly prohibited without
the prior consent of Grant Thornton LLP.
www.GrantThornton.com
© Grant Thornton LLP
US member of Grant Thornton International Ltd
All rights reserved