By now everyone has at the very least completed their electronic banking risk assessment, and most institutions have probably gotten feedback from their primary examiner on their progress. So what’s next? Where should you focus your time and resources now? Or should you just wait to see where the regulators go next? Here are 3 reasons why I think customer education is the next logical step…and why you shouldn’t wait to address it.
- The updated guidance expects you to enhance the customer awareness program you already have in place. This is the first challenge, because many institutions I speak to don’t have a formal customer awareness program in place to enhance. They may have done some one-off training here and there, but nothing formal. Make training your customers in information security best practices just as important as training your employees. Make it a part of your policies, require annual participation, and document those that participate (and those that don’t).
- Customers are largely acknowledged as the least secure element in the electronic banking process. No amount of layered technical controls will prevent this risk. Using sophisticated anomaly detection may allow you to quickly detect and respond to an incident, but prevention is far better, and there are no fool-proof ways to stop someone from clicking, opening or downloading something they shouldn’t. Additionally, because your customers are probably from outside the financial industry, they have never been, and will never be, exposed to the same high level of constant security awareness as you and your employees are. Besides, doesn’t it just make sense to focus your resources on controls that have the lowest cost and highest degree of success? Awareness is the best preventive control.
- Future “commercially reasonable” legal interpretation may favor those institutions that go beyond bare minimum requirements. According to the judges opinion in a recent court case involving an account takeover, if and when the security procedures are deemed commercially reasonable, the burden then shifts to the customer (merchant) “…to supervise its employees to assure compliance with the security procedure and to safeguard confidential security information and access to transmitting facilities so that the security procedure cannot be breached.” So beyond simply addressing regulatory expectations, a formal customer awareness program may just be that little something extra that establishes “reasonableness” in the eyes of the court.
So what should your customer awareness program include? Here is a quick summary of minimum requirements based on the FFIEC guidance:
- Target both commercial and consumer customers. Focus on high-risk customers first, but then expand to everyone.
- Are Reg E protections applicable on their account? What are the implications if so, and if not?
- Under what, if any, conditions you might contact the customer and request their e-banking credentials. (Should be “never ever”, right?)
- Strongly suggest that they conduct their own risk assessment. Consider providing a simple checklist to get them started. The PCI Security Standards Council has some self-assessment checklists that you may find useful. Modify as needed.
- Unless you want the customer using you as their outsourced IT department, you should let them know where else to turn for support. Consider a partnership with a trusted local IT vendor.
- A list of your employees names, email addresses and phone numbers that they can use if they suspect suspicious activity. Many security events happen off-hours. Can they reach you 24/7 if needed? And make sure emails are sent to multiple employees simultaneously so they won’t go unnoticed.
Microsoft has a very basic 10 question quiz:
The U.S. Chamber of Commerce also has resources to assist you:
Gladiator Technology has a service that addresses the customer awareness requirement, and provides an audit trail: http://www.profitstars.com/ProductBriefs/PSS_Gladiator_eCommercialSAT.pdf