Pub. 6 2011-2012 Issue 5

January/February 2012 13 Extraordinary Service for Extraordinary Members. but rather should institute a system of periodic risk assess- ments, layered security, and other controls as appropriate. The supplement updates the focus onmultifactor authentica- tion methods emphasizing a layered security program that is commensurate with the risk associated with the products and services offered. Risk Assessments. The supplement stresses the need to perform periodic risk assessments and adjust customer authentication controls in response to new threats to custom- ers’ online accounts. The type of risk assessments should be updated as new information becomes available and when new electronic financial services are implemented, or at least every 12months. Updated risk assessments should consider, among other things: (a) changes in the internal and external threat environment, (b) changes in a bank’s electronic bank- ing customer base or electronic banking functionality, and (c) actual incidents of security breaches, identity theft, or fraud experienced by the bank or industry. Banks should document any adjustments made and the reasons for such adjustment. Customer Authentication for High Risk Trans- actions. Banks are directed to assess the risk in the types of electronic banking transactions offered and implement more robust controls as the risk level of the transaction increases. Consumer transactions are considered by the FFIEC to be lower risk as they are less frequent and at lower dollar amounts as compared to commercial transactions (frequent wire transfers with larger dollar amounts). Because of the increased risk, layered security, including multifactor authentication, is recommended for commercial customers. Layered Security Program. Layered security is char- acterized as different controls at different points in a transac- tion process so that a weakness in one is compensated for by the strength in another. The supplement stresses the need for layered security programs to strengthen the overall security of high risk online services to protect sensitive customer infor- mation, prevent identity theft, and reduce financial losses. 5 At minimum, layered security should include anomaly detection and response at (a) customer login and (b) initiation of funds transfers to other parties. The FFIEC specifically notes that in many cases of online banking fraud, the fraud could have been prevented because the wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior. The types of controls noted in the supplement as effec- tive controls in a layered security program include, without limitation: • fraud detection and monitoring systems that include con- sideration of customer history and behavior and that enable timely and effective bank response; Q Cyber Fraudsters — continued on page 14