WASHINGTON (12/28/11)--January 2012 is the timeframe mentioned by the National Credit Union Administration (NCUA) for federally insured credit unions to adapt "appropriate strategies" to institute "key precautions" to address the growing problem of online transaction fraud at institutions that offer electronic services.Back in 2005, the
NCUA and the federal banking agencies issued "Authentication in an Internet Banking Environment." It was an effort intended to move institutions away from single-factor authentication--such as user name and password only-- to the use of multi-factor authentication, like username with password and PIN, or password and challenge question, layered security and other controls.
Then just this past July the agencies issued a supplement to this guidance to address growing incidences of online transaction fraud and ID theft, and to highlight some key precautions institutions should take if they offer electronic services. (Use resource link to see NCUA Letter to Credit Unions 11-CU-09: Online Member Authentication Guidance
A recent Credit Union National Association (CUNA) webinar highlighted that Jan. 1, 2012 is not a compliance "deadline." Rather, credit unions that offer online banking will need to be able to provide a progress report by that date. They will need to demonstrate that they have:
- Reviewed and updated the credit union's risk assessment;
- Talked to their vendor(s); and
- Put together a timeline or compliance in 2012.
With that in mind, CUNA's compliance team recommends that a credit union should:
Review and update risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. Consider any: changes in the internal and external threat environment; changes in the member base adopting electronic banking; changes in the member functionality offered through electronic banking; and any actual incidents of security breaches, identity theft, or fraud experienced by the credit union or financial services industry.
Implement more robust controls for "high risk" transactions, which include the use of automated payment mechanisms (e.g., ACH, wire transfer) or offering online services for commercial accounts. The agencies recommend both layered security and multifactor authentication for business accounts because of the higher dollar amounts involved and the frequency of transactions.
Implement layered security programs at the transaction process level based on the credit union's service operations and threat environment to facilitate fraud detection and respond to suspicious activity. Layered security means that if a vulnerable control is installed at a different point, it can be compensated for by the strength of other control layers. The layered security approach can significantly strengthen the overall security of an institution's Internet-based services, and has been shown to reduce money transfer fraud. The agency guidance provides several examples of controls that may be included in a layered security program.
Re-evaluate current authentication techniques to determine if they are still effective in today's online environment. Apparently, use of simple "cookies" for device identification and/or typical challenge questions (e.g., mother's maiden name, city where you were born, high school, etc.) just won't cut it anymore. More sophisticated authentication techniques are now available from many vendors, as described in the guidance.
Educate membership so all are aware of the steps the credit union is taking to protect them and the institution from cyber-crime, and let them know what they can do to protect themselves. Advise them of their Regulation E error resolution rights, and that the credit union may ask them to provide electronic banking credentials, implement suggested risk control mechanisms, and contact authorities when they become aware of suspicious activity.