Online Banking Compliance Countdown

• Mar 11, 2023
• By W B King

Snarky but insightful political satirist P.J O?Rourke once said ?Giving money and power to government is like giving whiskey and car keys to teenage boys.? I think we all felt the same way leading up to Aug. 2 as the Debt Ceiling crisis loomed with no meaningful, long view answers from either side of the aisle presented. More so, there was a lot of positioning and maneuvering but what emerged was the American public?s utter distaste for Congress receiving a 14 percent approval rating. One comedian smartly joked ?What happens when it is a zero approval rating?? Credit unions, like all financial institutions, had to remain resolute despite the possible default. It seemed clear that a deal was going to be made making the 11th hour countdown all the more pointless and frustrating sending fear and trepidation to Main Street and Wall Street, as well as world markets. The Suitland, MD-based Andrews Federal Credit Union, for example, posted the following message on its website in the days leading up to the deadline: ?Even if the federal government does not reach an agreement to raise the debt ceiling on August 2, 2011. All locations remain open, including military branches. In addition, please be assured that your deposits remain insured up to $250,000.? Across the nation credit unions received concerned calls and emails from members worried about personal and commercial accounts. An already rebounding economy was delivered another blow, making investing an enhanced challenge. Ultimately, a growing sense of distrust is apparent across political ideologies, so when government mandates are presented in any form, it can raise hackles. This past spring I wrote about the Federal Financial Institutions Examination Council?s update to its 2005 Authentication in an Internet Banking Environment. All financial institutions have to be in compliance with new regulations by January, which leaves little time for those dragging their heels; and in talking with some analysts, not everyone is positioned for compliance but there still is time which is the reason I?m revisiting this issue. Are You Prepared?

?Credit unions have been very reluctant to invest but with this Federal Financial Institutions Examination Council (FFEIC) compliance issue it becomes necessary,? said Greg Schratwieser, president and CEO of International Consulting Inc., a bank and credit union consulting firm. ?We are seeing a lot of activity as a result.?

This is the sort of government interference we should applaud because it deals directly with fraud, an ever-present and growing problem with online banking that has shown improvement in recent years due to enhanced security measures. According to Javelin Strategy & Research?s 2011 Identity Fraud Survey, in 2010 there was a 3 million less reports of personal information for financial gain. Overall, businesses and consumers suffered $37 billion in losses because of card-related identity fraud in 2010, down from 2009?s $56 billion, the report noted. There are guidelines available online to determine if your credit union will be in compliance but it is recommended to connect with a third-party professional and together conduct a comprehensive assessment of the internal environment to identify potential security weaknesses and threats. Once this process is completed, goals and solutions should be set and periodic risk assessments performed to ensure security measures in place are performing at the highest level possible.

?This issue is such a hot topic because credit unions have to be compliant by January and this requires implementing new technologies, educating members and doing security assessments,? Schratwieser said. ?This is on the forefront of everyone?s brain and this drives technology decisions.?

Schratwieser is correct as these technology-based security decisions are being made across the country in preparation for 2012. Take for example Vermont?s Northern Lights Federal Credit Union, which recently added IronKey?s Trusted Access for Banking, a secure browsing solution designed to prevent identity theft, payments fraud and online banking account takeover.

?Our focus is on protecting our customers online when they access their accounts or pay using Northern Lights credit and debit cards,? said Rita St. Arnauld, CEO of Northern Lights FCU. ?Now we can give our clients a portable secure browser that protects them even if their PC is infected with computer viruses or Trojans. And it gives them a way to make sure they are at the actual sites of top online merchants, not a copycat phishing site.?

The software features Trusted Bookmarks, a safe Web browsing service that allows Northern Lights FCU to manage a ?white list? of popular transaction-based websites that members can safely access via a detached secure browsing environment. Additionally, the software meets FFEIC guidelines and the FBI?s recommendations for safe online banking. Without enhanced security measures in place, trouble is certain. A recent report from the Anti-Phishing Working Group found that throughout the last year, more than 70,000 ZeuS variants were detected with countless other malwares going undetected. The report also noted that 25 percent of computers are infected with banking Trojans such as ZeuS and SpyEye used by criminals to infiltrate bank accounts and steal millions from businesses and municipalities. The FFIEC guidance, for example, suggests the use of USB devices ?that increase session security when plugged into the customers? PC.? This approach is effective because it ?enables a secure link between the customer?s PC and the financial institution independent of the PC?s operating system and application software.? IronKey CEO Arthur Wong noted ?The only commercially available product that fits this description completely is IronKey Trusted Access for Banking. Northern Lights is stepping ahead of its competition and demonstrates how credit unions are competing with new innovations and real value-add service to attract customers.? Another FFIEC recommendation is to replace conventional ?challenge questions? such as mother?s maiden name or city of father?s birth as they are considered easy to learn due to the available information online (social media). Instead, it is best to switch to ?Out of Wallet? indicators (information generally not available in any public forum.) More Technology Solutions Many technology companies have been working at developing software and services that will meet the call for enhanced financial security. Among this expanding group is the New York-based Finivation Software that recently launched voice biometrics solution, VoiceVerify which is FFEIC compliant. Finivation?s CEO, Brian Bodell, explained that VoiceVerify was specifically designed for financial organizations so that they could verify a person?s identity before they are granted access to sensitive information or allowed to conduct sensitive transactions, such as a wire transfer, external bank transfer or a password change.

?Voice biometrics? advantage over other biometric and security solutions is the fact that a person can be verified remotely, so it is perfect for the contact center as well as online and mobile banking,? Bodell noted. ?Users don?t need any special hardware or software, and they don?t need any training to use their voice.?

This fall, the Phoenix-based Desert Schools Federal Credit Union is slated to be the first financial institution, credit union or otherwise, to implement the new software that is designed to help verify a person?s identity remotely.

?Our primary focus is serving our members quickly and securely�?and VoiceVerify will play an important role in continuing to meet that goal,? said Gary Laieski, CIO for Desert Schools Federal Credit Union. ?We plan to use VoiceVerify in several ways?initially for 24/7 password resets for online banking followed by out-of-band authentication for transfers. We also hope to leverage the technology to make it faster for members to authenticate in the contact center while simultaneously reducing the chance for social engineering, which members will certainly appreciate.?

While the majority of the time fraud is an outside job, C-level executives need to have safeguards in place to police internal fraud. The most common departments within a credit union where fraud has occurred include loans, GL accounts, unauthorized use of corporate credit cards and procurement/purchasing. Along with companies mentioned above, researching the following organizations will help in your pursuit of achieving the highest level of security which his again should be an on-going concern. Check out ActivIdentity, AuthenTec, Diversinet, DS3, Giesecke & Devrient, i-Sprint, Mi-token, NagraID, SafeNet, Symantec, Totaltexto, Technology Nexus, Vasco and Verisec. The aforementioned all adhere to guidelines put forth by the Initiative for Open AuTHentication (OATH) and its OATH Certification Compliance Program (OCCP). OATH is a leader in the collaboration of device, platform and application companies, as well as end-user customers of authentication technologies. Moving forward, credit unions should have the behind-the-scenes technology initiatives underway. As the January date nears, member education via website and tutorials should be in place.

?Member education is fairly straightforward and easy to implement, and you can start that process in September and what you are doing is explain[ing] to them basically how to avoid online fraud. You are helping the members to help you,? Schratwieser said. ?Every credit union and bank in America has to have a plan in place and a strategy. It will be up to the FFIEC examiners to determine whether each organization has done an adequate job or not.?

---