I’ve gotten several inquiries about this since I last posted so I thought I’d better address it. The new FFIEC authentication guidance requires you to conduct periodic risk assessments, and to apply layered controls appropriate to the level of risk. Transactions like ACH origination and interbank transfers involve a generally higher level of risk to the institution and the customer, and as such require additional controls. But here’s the catch…given the exact same product with the exact same capabilities one customer’s normal activity is another customer’s abnormal. So defining normal is critical to identifying your abnormal, or “high-risk”, customers.
Most Internet banking software has built-in transaction monitoring or anomaly detection capabilities, and vendors that don’t are scrambling to add it in the wake of the guidance. As the guidance states:
“Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.“
So automated anomaly detection systems can be a very effective preventive, detective and responsive control. But I think there is a very real risk that a purely automated system may not be enough, and may even make the situation worse in some cases. For one thing, any viable risk management solution must strike a balance between security and usability. A highly secure automated anomaly detection and prevention system may be so tightly tuned that it becomes a nuisance to the customer or a burden to the institution. Customers are already reluctant to accept any constraints on usability, even if they can be presented as in their best interest. And if your requirements are just a little bit more than your competitor, you risk losing the customer to them. Interesting paradox…you implement additional controls to protect them, and lose them to a (potentially) less secure competitor!
But another way a purely automated solution may not achieve the desired result is that it may actually lull the institution into a false sense of security. I’ve already heard this in my discussions with our customers…”My vendor says they will fully comply with the new guidance, so I’m counting on them.” And indeed the vendors are all saying “Don’t worry, we’ve got this…”. But do they? In at least one incident, transaction monitoring did not stop an account take-over because according to the automated systems the fraudulent transactions were all within the range of “normal”.
So what more should you do? One thing is to make sure that you don’t rely solely on your vendor to define “normal”. Just as with information security, you can, and (because of your reliance on the vendor) should outsource many of the risk management controls. But since you can not outsource the responsibility for transaction security, you must take an active role with your vendor by sharing responsibility for monitoring. One way to do this is to participate in setting the alert triggers. For example, high account inquiries may trigger an automated anomaly alert, but really don’t carry a high risk of loss. (However, they could be indicative of the early stages of an account takeover, so they shouldn’t be completely ignored either.) On the other hand, a slight increase in interbank transfers may not trigger an alert, but could carry a potentially large loss. Rank the capabilities of each product by risk of loss, and work with your vendor to set anomaly alerts accordingly.
Once you’ve established “normal” ranges for your products by capability, and set the anomaly triggers, your vendor should be able to generate reports for you showing deviations from normal for each product. The next step is to separately assess each customer that falls outside those normal ranges. Anomaly triggers for these customers should necessarily be set more tightly, and your vendor should be able to provide deviation reports for those as well. By regularly reviewing these reports you are demonstrating a shared security responsibility approach, and most of all, demonstrating an understanding of both the letter and spirit of the guidance.
Remember, although your vendor can help, “normal” transaction frequency and dollar amounts must be defined by you based on your understanding of the nature and scope of your on-line banking activities.