Are the Federal Financial Institutions Examination Council (FFIEC) authentication guidelines actually sufficient in today’s mobile first, digital world?

The last supplement on this topic was released in 2011 which is a lifetime in technology years. That guidance required banking institutions to put the following in place:

  • Risk Assessments
  • Customer Authentication for High-Risk Transactions
  • Layered Security Programs
  • Effectiveness of Certain Authentication Techniques
  • Customer Awareness and Education

The challenge for financial institutions, even with this guidance, is that digital banking and cyber-fraud both evolve rapidly. In 2011, Mobile Remote Deposit Capture (mRDC) was almost unheard of. Now the majority of banks either support mRDC or have plans to roll it out. It’s important that banks not only meet the FFIEC guidance but actually exceed it in order to stay a step ahead of today’s fraud.

Ongoing Risk of Data Breaches

Nothing illustrates the challenge faced by financial institutions more than data breaches. Every year millions of consumers have personal data stolen. Cybercriminals often use this information to take over bank or credit card accounts to commit more fraud. As data breaches continue to hit large corporations like Home Depot and Anthem, it becomes increasingly important to have a strategy in place that keeps fraudsters out of customer accounts. This strategy must also be carried out in a way that doesn’t negatively impact the user experience.

Know Your Customer

Banks must precisely balance the amount of fraud protection they have in place with the amount of friction it creates for the customer. This has become more challenging as the number of devices used to access accounts creates more channels to manage effectively. iovation has collaborated with financial industry leaders to develop additional layers of protection like device-based authentication (DBA) to help solve this issue. This frictionless second factor of authentication uses strong device recognition to go beyond what’s required in the FFIEC supplement. DBA uses a registration process that pairs customer devices to specific accounts in order to stay ahead of evasion techniques.

The two key elements included in the FFIEC’s recommendation on Layered Security Programs were:

  • Dual customer authorization through different access devices
  • Use of out-of-band verification

A Stronger Multi-layered Approach

DBA is the first line of defense in a multi-layered approach to fraud. It defends against account takeover starting at login. As outlined in the FFIEC supplement, fraudsters will always try to beat the system. With device recognition at the core of this authentication, it is much harder for fraudsters to commit account takeover and man-in-the-middle attacks.

Out of Band Verification

The FFIEC supplement also touched on the importance of out-of-band verification like a one-time password or tokens. Solutions like SMS as a one-time password are fairly common, but also increase friction for good users. DBA takes a more user-friendly approach by creating a private device identification to pair with an account. This helps financial institutions optimize multi-factor authentication strategies to maintain security while enhancing user experience. DBA also provides institutions a more scalable solution that can reduce expenditures on step-up authentication tools.

As pointed out in FFIEC guidelines, financial institutions should not rely on a single solution to fight fraud. iovation combines multi-layered fraud prevention services with device-based authentication to stop account takeover and other fraud.

Additional Resource

Moving Beyond the FFIEC Guidelines