The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
The rules require banks to apply the same anti-fraud measures used for bank websites to mobile devices. They also include surprisingly frank descriptions of the big risks inherent to any mobile or online bank transaction.
The guidance “really raises the bar in terms of the expectations regulators have for banks in terms of protecting consumers and businesses from fraud,” says Jeff Kopchik, senior policy analyst in the risk management division of the FDIC. You can see the new guidelines here.
The FFIEC is an obscure little agency with a big job: Making sure that rules passed by all federal bank regulators on important topics like credit cards, mortgages and other financial products all mesh with one another. In this case, six different agencies that monitor banks, credit unions, Wall Street investment houses and other financial institutions all have their own requirements to protect consumers from fraud.
The council’s ruling sets the floor for all the other agencies’ rules. It updates rules first created in 2005 to regulate online transactions, requiring financial institutions to regularly review and update their fraud monitoring systems. It also requires banks to use multiple methods to verify account holders’ identities in high-risk transactions.
[Column: The Weakest Link: Feds Fail with Cyber Security Proposal]
What’s eye-opening here is the council’s definition of a high-risk transaction: “i.e., electronic transactions involving access to customer information or the movement of funds to other parties.”
Did you catch that? By the regulators’ standard, every single online or mobile transaction poses a high risk of fraud, since every one requires access to customer information.
The regulators also confirm something that we at Credit.com have been pointing out for years: If important information is being exchanged, someone will figure out a way to steal it.
“Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security,” according to the rules.
Under the new guidelines, banks can no longer rely on their old way of authenticating account holders’ identities, which rely primarily on matching a user’s name and password to a cookie on their computer that recognizes them as a bank customer.
“In the last six years, hackers have figured out how to completely subvert that,” Kopchik says.
Instead, banks will have to employ layers of identity authentication at different steps of the online and mobile banking process. Customers will have to follow one process to log in, and then give additional information to authorize funds transfers and other risky transactions.
On the back-end, the new rules require banks to look for anomalies that could indicate fraud. For example, that could mean flagging a transaction in which a customer who normally pays $10,000 a month to five different vendors suddenly pays $100,000 to a completely new vendor. Banks would be required to have some system in place to make sure that account has not been taken over, something credit card companies have been doing on their own for years, Kopchik says.
Moving forward, the council will continue to study new technology and ways that hackers and identity thieves can manipulate it. Which means banks and consumers can probably expect a new round of security rules in the next few years.
“Six years is an eternity” in the world of anti-fraud technology, Kopchik says.
[Tool: Quickly assess your risk of identity theft for free]
Image: Serhat Demir, via Flickr
March 11, 2021
Personal Finance
March 1, 2021
Personal Finance
February 18, 2021
Personal Finance