Federal agency issues new security rules for financial institutions

Feds want 'layered security' and fraud monitoring to better protect against cybercrime

The federal agency that regulates banks today issued new rules for online security for financial institutions, instructing them to use minimal types of "layered security" and fraud monitoring to better protect against cybercrime.

It's the first time the Federal Financial Institutions Examination Council (FFIEC) has updated its rules since 2005, and the instructions to regulated financial services today focus on protecting high-dollar Automated Clearinghouse (ACH) transactions that have been targeted by sophisticated cybercrime groups that hijack business PCs in order to initiate fraudulent transactions.

MORE ON SECURITY: Smartphones and tablets create huge corporate security challenge

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The federal agency that regulates banks today issued new rules for online security for financial institutions, instructing them to use minimal types of "layered security" and fraud monitoring to better protect against cybercrime.

It's the first time the Federal Financial Institutions Examination Council (FFIEC) has updated its rules since 2005, and the instructions to regulated financial services today focus on protecting high-dollar Automated Clearinghouse (ACH) transactions that have been targeted by sophisticated cybercrime groups that hijack business PCs in order to initiate fraudulent transactions.

MORE ON SECURITY: Smartphones and tablets create huge corporate security challenge

"The agency recommends that institutions offer multi-factor authentication to their business customers," the FFIEC guidance of today states.

The FFIEC also instructs banks and financial institutions to focus their network defense on layered security protections that involve fraud monitoring; use of dual customer authorization through different access devices; the use of out-of-band verification; and the use of "positive pay," debit blocks and other technologies to appropriately limit the transactional use of the account.

The FFIEC guidelines also tell financial institutions they must use "two elements at a minimum" as "process designed to detect anomalies and effectively respond to suspicious and anomalous activity." The fraud-detection processes must include:

- initial login and authentication to customers requesting access to the institution's electronic banking system, and

- initiation of electronic transactions involving the transfer of funds to other parties.

Since 2005 when the FFIEC, on behalf of other federal government agencies with regulatory oversight of banks, issued its initial guidelines, banks have moved to deploy some different types of two-factor authentication more broadly.

The new guidance is more specific, and the FFIEC says that's because cybercrime against the banking industry and its customers is worse now.

"Fraudsters have continued to develop and deploy more sophisticated, effective and malicious methods to compromise authentication mechanisms and gain unauthorized access to customer accounts," the FFIEC says.

Gartner analyst Avivah Litan offered both praise and criticism of the federal government guidance.

“It clearly delineates between the risks associated with consumer vs. business banking,” said Litan. “The last guidance did not do this and many in the industry incorrectly assumed it was mainly directed towards consumer accounts.” She praised the fact that the FFIEC guidance points to process changes to mitigate risk, including use of ‘positive pay’ and dual customer authorization. Many other aspects, including the need for layered security systems and considerations for updating risk assessments were important for the banking industry to hear, she said. But she adds the guidance “still falls short” in some areas.  “There is nothing in the guidance that specifically addresses the needs and requirements of small banks (which constitute over 80% of the U.S. bank population in terms of number of institutions) that rely on third-party service providers for online banking and online banking security. Where’s the guidance for them?”