© grant thornton llp. all rights reserved. 2011 ffiec authentication guidance association of credit...
TRANSCRIPT
© Grant Thornton LLP. All rights reserved.
2011 FFIEC Authentication Guidance
Association of Credit Union Internal Auditors2012 Region 6 Conference September 27, 2012
Matt Thompson, Managing Director Chris Huffman, Manager
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions• Progression of FFIEC Authentication Guidance• 2011 Guidance• Changes in the Marketplace• What does the Guidance not Address?• Recommended Next Steps• Q/A• Appendix
© Grant Thornton LLP. All rights reserved.
IntroductionsMatt Thompson
• Managing Director in Grant Thornton’s Southeast Business Advisory Services Practice, based in Raleigh, NC
• Over 17 years experience working in IT Audit and Cyber Security
• Certified Information Systems Auditor (CISA)
• Certified in Risk and Information Systems Control (CRISC)
• PCI-DSS Qualified Security Assessor (QSA)
• Held a General Securities Representative Series 7 license
• Member of the Triad (NC) IIA Board of Governors
• A leader of the Southeast Cyber Security, IT Internal Audit, and IT External Audit practices, along with the National Cyber Security solution group
• Recognized speaker at IIA, ISACA, and NACHA conferences / events including the IIA GAM & All Star Conferences
© Grant Thornton LLP. All rights reserved.
IntroductionsChris Huffman
• Manager in Grant Thornton's Business Advisory Practice, based in Charlotte, NC
• Over 5 years experience working in IT Internal Audit• Certified Information Systems Auditor (CISA)• Master's Degree in Accounting and Information Systems• Extensive experience with financial institution's internal audit
programs• Regional and National Trainer for Grant Thornton's Business
Advisory Practice• Member of the Charlotte (NC) IIA Chapter
© Grant Thornton LLP. All rights reserved.
IntroductionsDilbert Wisdom
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions• Progression of FFIEC Authentication Guidance• 2011 Guidance• Changes in the Marketplace• What does the Guidance not Address?• Recommended Next Steps• Q/A• Appendix
© Grant Thornton LLP. All rights reserved.
Progression of FFIEC Authentication Guidance2001 Guidance
• Laid groundwork for future guidance– Defined acceptable authentication techniques– Suggested integration of e-banking into the
overall risk assessment
© Grant Thornton LLP. All rights reserved.
Progression of FFIEC Authentication Guidance2005 Guidance
• Updated the 2001 guidance to address new technologies and risk– Defined transactions that should require multifactor
authentication– Addressed the need for risk based assessments– Customer awareness programs
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions• Progression of FFIEC Authentication Guidance• 2011 Guidance• Changes in the Marketplace• What does the Guidance not Address?• Recommended Next Steps• Q/A• Appendix
© Grant Thornton LLP. All rights reserved.
2011 GuidanceGroup Check
• What has your Credit Union done to address the guidance?
• What changes to the guidance will affect your Credit Union most?
• Have you performed an Internal Audit of your Credit Union's adoption of the 2011 Guidance?
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview
• Regulators and examiners have been considering the issue of increased banking fraud and provided updated guidance in June 2011
• Regulatory scrutiny in the area has increased and institutions should carefully examine their Internet Banking to determine if they are going to need to increase the security of high-risk transactions
• Recent June 2011 guidance will be used by examiners beginning in 2012
© Grant Thornton LLP. All rights reserved.
2011 GuidanceJustification for Latest Guidance
• Internet banking fraud risks are increasing, significantly growing in 2009 and 2010
• Resulting lawsuits from account takeovers in business accounts have left liability questions related to UCC 4a unclear
© Grant Thornton LLP. All rights reserved.
2011 GuidanceJustification for Latest Guidance (cont'd)
• The regulatory environment– Prior (2005) guidance focused on authentication. The
guidance specifically instructed institutions to implement authentication that is stronger than single factor
– Many Financial Institutions implemented device recognition with challenge questions to comply
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance
• Risk Assessments– Differentiation between retail and business transaction
risk• "Agencies recommended that institutions offer multifactor
authentication to their business customers"
– Continued focus on Risk Assessment– Continued, increased emphasis on Layered Security
Programs
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Layered Security– Fraud detection and monitoring systems– Include consideration of customer history and behavior
and enable a timely and effective institution response– Dual customer authorization through different access
devices– Out-of-band verification for transactions
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Layered Security– Use of "positive pay," debit blocks and other techniques
to appropriately limit the transactional use of the account– Enhanced controls over account activities
• Transaction value thresholds• Payment recipients• Number of transactions allowed per day• Allowable payment windows (e.g. days)
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Layered Security– Internet Protocol (IP) reputation-based tools– Policies and practices for addressing customer devices
identified as potentially compromised and customers who may be facilitating fraud
– Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Layered Security– Enhanced customer education to increase awareness of
the fraud risk and effective techniques customers can use to mitigate the risk
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Multifactor Authentication– Can be implemented with physical tokens or "soft
tokens"– Relies on public key encryption to generate one-time
passcodes that are time sensitive– Relatively effective control, susceptible to "man-in-
browser" malware bypass• Not to be used alone with high risk transactions
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Out of Band Authentication– Involves confirmation using a channel other than the
browser• SMS text message• Voice phone call
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Out of Band Authentication– Most effective when:
• Performed at the transaction level• Includes transaction details• Requests a positive affirmation (such as a PIN code) to proceed
with the transaction
– This is emerging technology is quickly gaining industry traction for high risk transactions
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Securing the Browser– Generally offered as an "opt-in" offering to business
customers– Can be deployed easily as a "bolt-on" to existing Internet
Banking environments
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Securing the Browser– Provides software that:
• Creates a client-to-server encrypted tunnel• Prevents keylogers and other malware from operating• May provide an encryption key for additional authentication
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Securing the Browser– Can be deployed in two ways:
• Software only (e.g. Trusteer Rapport), using a downloadable program for client use
• Bundled with a USB hardware token (e.g. Iron Key), using a secured browser in a virtual operating system.
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Monitoring Transactions– Regulators very clearly indicated these controls can be
automated or manual– Technology solutions focus on identifying unusual
patterns, payees, times of day, or other indicators of risk– The solutions will escalate those "high risk" transactions
for follow-up and manual validation
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Monitoring Transactions– To be effective:
• Implement technology along with an overall anti-fraud or other program
• When possible, select and implement solutions that examine transactions from multiple channels
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Enhanced Customer Awareness and Agreements– Traditional controls designed to limit fraud risk can be re-
visited• Credit limits• Customer agreements
– Thresholds for volume or dollar limits defined and enforced by the system
– Responsibility for implement and maintaining controls (consider UCC 4a)
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Transaction Limits– Limiting transactions by frequency on a daily,
weekly or monthly basis– Limiting transactions by dollar volume
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Device Identification– Generally offered as a cloud-hosted service– Identifies the transaction's source using large databases
across a variety of industries then assigns a transaction risk score• Banking• Gambling• Large retailers
© Grant Thornton LLP. All rights reserved.
2011 GuidanceOverview of Guidance (cont'd)
• Device Identification– To be effective:
• Requires configuration to assign specific actions (block, escalate for follow up, permit) to risk scores
• Requires a consideration of customers (e.g. likelihood of international travel)
• Requires significant scale and source data from the vendor (e.g. Lovation, Kount)
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions• Progression of FFIEC Authentication Guidance• 2011 Guidance• Changes in the Marketplace• What does the Guidance not Address?• Recommended Next Steps• Q/A• Appendix
© Grant Thornton LLP. All rights reserved.
Changes in the Marketplace
• Trends in Credit Union Access Methods• Authentication Techniques (Survey Results)• 2011 Guidance Adoption by Financial Institutions
© Grant Thornton LLP. All rights reserved.
Changes in the MarketplaceTrends in Credit Union Access Methods
Source: ISACA
© Grant Thornton LLP. All rights reserved.
Changes in the MarketplaceAuthentication Techniques Survey Results by Financial Institutions
Source: ISACA
© Grant Thornton LLP. All rights reserved.
Changes in the Marketplace2011 Guidance Adoption by Financial Institutions
• Financial Organization Readiness– Risk Assessment: 89% of respondents have
implemented risk based assessments for all channels– Authentication Techniques: 56% of respondents have
improved methods for authenticating – Customer Awareness Program: 43% of respondents
have implemented a new customer awareness program– Layered Security: 43% of respondents have
implemented layered security techniques
Source: iSMG, 2012 Faces of Fraud Survey
© Grant Thornton LLP. All rights reserved.
Changes in the Marketplace2011 Guidance Adoption by Financial Institutions (cont'd)
• What Technologies are Financial Institutions Using for Compliance?– Enhanced customer education: 61%– Fraud detection and monitoring: 61%– Out of band verification: 35%– Device identification technologies: 32%– Controls over account maintenance: 32%– IP reputation based tools: 21%
Source: iSMG, 2012 Faces of Fraud Survey
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions• Progression of FFIEC Authentication Guidance• 2011 Guidance• Changes in the Marketplace• Not Addressed in the Guidance• Recommended Next Steps• Q/A• Appendix
© Grant Thornton LLP. All rights reserved.
Not Addressed in the GuidanceMobile Banking
© Grant Thornton LLP. All rights reserved.
Not Addressed in the GuidanceMobile Banking (cont'd)
• Industry Best Practices– Encrypt transmission of data – Time-out functionality– Ability to disable phone from web console– Only A2A transfers– Inability to setup up new bill payees with mobile
device
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions• Progression of FFIEC Authentication Guidance• 2011 Guidance• Changes in the Marketplace• Not Addressed in the Guidance• Recommended Next Steps• Q/A• Appendix
© Grant Thornton LLP. All rights reserved.
Recommended Next Steps
1. Determine the current compliance status of your Credit Union.
2. Review your Credit Union's Risk Assessment, known issues, and compliance timeline to ensure appropriate (e.g., perform a design of controls review).
3. Test the operating effectiveness of key controls related to your Credit Union's compliance with the 2011 FFIEC Authentication Guidance.
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions• Progression of FFIEC Authentication Guidance• 2011 Guidance• Changes in the Marketplace• Not Addressed in the Guidance• Recommended Next Steps• Q/A• Appendix
© Grant Thornton LLP. All rights reserved.
Q&A
© Grant Thornton LLP. All rights reserved.
Agenda
• Introductions• Progression of FFIEC Authentication Guidance• 2011 Guidance• Changes in the Marketplace• Not Addressed in the Guidance• Recommended Next Steps• Q/A• Appendix
© Grant Thornton LLP. All rights reserved.
Appendix2005 / 2011 Guidance Comparison
2005 Guidance 2011 GuidancePurpose •Risk-based assessments
•Evaluate customer awareness programs
•Develop security measures
• Combat increased fraud• Reinforce guidance risk
management framework and period risk assessments
• Set min control expectations• Identifies min elements
required in a customer awareness program
Risk Assessment
•Start with assessment of risk•Authentication process should be consistent with firm's security
•Ongoing process to review authentication technology
• Reiterate/stress need for periodic risk assessments
• Review and update existing assessments as new technology becomes available
© Grant Thornton LLP. All rights reserved.
Appendix2005 / 2011 Guidance Comparison (cont'd)
2005 Guidance 2011 GuidanceCustomer Authentication for High-Risk Transactions
• Distinguishes between types of customers (Retail/Consumer is lower level, Business/Commercial is higher level risk)
Layered Security Programs
•USB Tokens to be user friendly•Smart cards - hard to duplicate and are tamper resistant
•Password generating tokens are time-sensitive, synchronized
•Biometrics/facial recognition•Non-hardware-based one-time-password scratch card
• Detection monitoring systems• Dual customer authorization• Out-of-band verification• "Positive-pay"• Controls over account and
change-to-account activity• IP reputation-based tools• Customer education
© Grant Thornton LLP. All rights reserved.
Appendix2005 / 2011 Guidance Comparison (cont'd)
2005 Guidance 2011 GuidanceLayered Security Programs(cont'd)
•Out-of-band authentication• IPA location and Geo-location software
•Mutual authentication
Other Authentication Techniques
•Shared secrets – information elements known only by the customer and authenticator
•Simple challenge questions and images
• Initial enrollment process or via an offline ancillary process
•Requirement of periodic change
• Device identification through PC-installed cookie
• Sophisticated "one-time" cookies to contest fraudster
• Sophisticated, "out-of-wallet" or "red-herring" questions
© Grant Thornton LLP. All rights reserved.
Appendix2005 / 2011 Guidance Comparison (cont'd)
2005 Guidance 2011 GuidanceCustomer Verification
•Positive verification•Logical verification•Negative verification•Third party to verify the identity of the applicant
Monitoring and Reporting
•Audit logs•Report suspicious activities•Establish transaction dollar limit•Reporting mechanisms with timely removal/suspension of user account access.
•Review System Admins actions
© Grant Thornton LLP. All rights reserved.
Appendix2005 / 2011 Guidance Comparison (cont'd)
2005 Guidance 2011 GuidanceCustomer Awareness and Education
•Key in defense against fraud •Efforts should address retail and commercial account holders
•Explain protections provided•Circumstances warranting an institution contacting a client and by what means
•Commercial online banking customers perform a related risk assessment
•Listing of alternative control mechanisms and institutional contacts
© Grant Thornton LLP. All rights reserved.
In accordance with certain professional standards, we inform you that this document supports Grant Thornton LLP’s marketing of professional services and is not written tax, accounting or other advice directed at the particular facts and circumstances of any person. We encourage you to discuss with us, or an independent tax advisor, legal counsel or other advisors the potential application of this document to your particular situation.
Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax treatment or tax structure of any matter addressed herein. To the extent this document may be considered to contain written tax advice, any written advice contained in, forwarded with or attached to this document is not intended by Grant Thornton to be used, and cannot be used, by any person for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.
This document is the work of Grant Thornton LLP, the U.S. member firm of Grant Thornton International, and is in all respects subject to negotiation, agreement and signing of specific contracts. The information contained within this document is intended only for the entity or person to which it is addressed and contains confidential and/or privileged material. Dissemination to third parties, copying or use of this information is strictly prohibited without the prior consent of Grant Thornton LLP.
www.GrantThornton.com
© Grant Thornton LLPUS member of Grant Thornton International LtdAll rights reserved