Pub. 6 2011-2012 Issue 5

www.nebankers.org 12 Extraordinary Service for Extraordinary Members. T HIS REALITY HAS CREATED AN OP- portunity for criminals to steal online identities and use them for monetary gain. As such, the ability of one party to authenticate the identity of the other party in an online transaction is of key importance, espe- cially in banking. In response to the increasing threat of fraud in online banking, the Federal Financial Institutions Examination Council (FFIEC) issued a Supplement to Authentication in an Internet Bank- ing Environment on June 28, 2011. 1 The supplement updates the Oct. 12, 2005, FFIEC guidance entitled Authentication in an Internet Bank- ing Environment. 2 Both the guidance and the supplement outline recom- mended security measures banks may implement to enhance their ability 2012 Security Measures for Combating Cyber Fraudsters Jeff Makovicka , Husch Blackwell LLP COUNSELOR’S CORNER to authenticate the identity of online banking users and prevent fraud. Be- cause “[t]he agencies are concerned that customer authenticationmethods and controls implemented in con- formance with the [guidance] have become less effective,” the supplement further reinforces the security frame- work described in the guidance and updates the supervisory expectations regarding customer authentication, layered security, and other controls in the online environment. Courts considering the guidance (pre-supplement) suggest that the supplement may establish the new minimum standard against which banks are held legally responsible for claims that a bank has breached its duty to protect customer accounts and information. As a result, banks should review and update their authentication procedures and online banking forms to comply with the guidance as updated by the supplement. 3 Online Fraud Rising Banks currently face a growing threat from cyber criminals (or, as the supplement affectionately calls them, “fraudsters”) employing sophisticated techniques to perpetrate deposit ac- count “takeovers” and transfer funds, often to criminal accounts overseas. In testimony before a subcommittee of the House Financial Services Commit- tee in September 2011, the assistant director of the FBI’s Cyber Division stated the FBI is currently investigat- ing more than 400 reported cases of corporate account takeovers involving in excess of $255 million in attempted theft and approximately $85million in actual losses. 4 Supervisory Expectations. The supplement outlines the supervisory expectation that banks should not rely solely on any single control for authen- ticating online banking transactions, including “high risk transactions” (i.e., electronic transactions involving access to customer information or the movement of funds to other parties), Commercial transactions are increasingly conducted online without any face-to-face interaction and without the traditional safeguards used to confirm that a party is who they claim to be.