Unlike the PATCO ruling, a district court in Missouri has ruled in favor of the bank in an account takeover case brought by one of its commercial customers. This case was very similar to the PATCO case with one important exception, which I’ll discuss shortly. But it also raises some interesting questions that could impact […]
New cyber attack targeting small to medium-sized financial institutions
The FBI, in association with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center (IC3), recently issued a fraud alert warning that criminals are using a multi-vector attack to compromise financial institution networks and initiate fraudulent wire transfers. The first thing that struck me about this attack is that […]
FDIC offers “Insight” on Mobile Banking
Although not considered official supervisory guidance, the most recent FDIC Supervisory Insights newsletter offers an instructive early look into how the agency might examine this emerging electronic banking delivery method in the future. (Before you tune out and decide to wait for the formal guidance, remember it was the Winter 2009 issue that first introduced […]
Online Transactions – Defining “Normal”
I’ve gotten several inquiries about this since I last posted so I thought I’d better address it. The new FFIEC authentication guidance requires you to conduct periodic risk assessments, and to apply layered controls appropriate to the level of risk. Transactions like ACH origination and interbank transfers involve a generally higher level of risk to […]
Risk Assessing Internet Banking – Two Different Approaches
One of the big “must do” take-aways from the updated FFIEC Authentication Guidance was the requirement for all institutions to conduct risk assessments. Not just prior to implementing electronic banking services, but periodically throughout the relationship if certain factors change, such as: changes in the internal and external threat environment, including those discussed in the […]
Interpreting The New FFIEC Authentication Guidance – 5 Steps to Compliance
We’ve all now had a couple of weeks to digest the new guidance, and what has emerged is a clearer understanding of what the guidance requires…and what it doesn’t. But before we can begin to formulate the specific compliance requirements, we have to interpret what the guidance is actually saying…and what it isn’t. And along […]
Final FFIEC Authentication Guidance just released
Well, after much anticipation and speculation we finally have the updated FFIEC guidance, and there doesn’t appear to be anything radically new here that would justify waiting an additional 6 months. At the very least I thought we might see some changes in the Effectiveness of Certain Authentication Techniques section, or in the Appendix (Threat […]
Mythbusting on-line security
As I write this (2/2011), we are expecting updated guidance from the FFIEC any day on on-line authentication and security. It is way overdue, as the last release was way back in 2005. It is supposed to address the changes in the security landscape since then, and hopefully it will even raise the bar a […]
Top 5 Compliance Trends for 2011 – Part 5
As I write this, the only case to go to trial of a Bank suing the Merchant over account takeover losses is awaiting the jury’s decision. The result may redefine the liability, and by definition the roles and responsibilities, of both the financial institution and the merchant when it comes to securing electronic transactions. It […]
FFIEC to issue updated authentication guidance?
I’ve been hearing this rumor for a while now, but we may actually be seeing something new from the FFIEC soon. Gartner is the latest to suggest