Are All “High-Risk” Transactions
Created Equal?
How to Minimize FFIEC Exam Pain
1
@leewetherington
Lee Wetherington, AAP
Agenda
•
New Supplement to FFIEC Guidance
–
Key Points; “Intelligent Layering”
•
High-Risk Transactions
–
Letter vs. Spirit of the Law
–
The Truth about Santa & Remote Deposit Fraud Risk
•
From the Horse’s Mouth (Regulators/Examiners)
–
The Bottom Line on “High-Risk” and Compliance
•
What to Do Next
–
Payments Risk Assessment; Rating Transaction Type Risk
Supplement
to FFIEC
Guidance
FFIEC Guidance Documents
•
August 2001
Authentication in an Internet Banking Environment
–
http://www.ffiec.gov/PDF/pr080801.pdf
•
October 2005
Auth. in an Internet Banking Environment – Update
–
http://www.ffiec.gov/pdf/authentication_guidance.pdf
•
January 2009
Risk Management of Remote Deposit Capture
–
http://www.ffiec.gov/pdf/pr011409_rdc_guidance.pdf
•
June 2011
Supplement to Auth. in Internet Banking Environment
Key Points
•
Banks must:
–
Perform periodic risk assessments
–
Educate customers about fraud
–
Implement “layered security” systems (intelligently)
–
Mitigate fraud risks related to “high risk” transactions
•
“High risk” transactions:
–
Carry non-public personal information or move funds
•
Risk and remote deposit capture
–
Technically, remote deposit items are “high risk” transactions
–
Examiners see RD as less risky than ACH credits and wires
•
Your response must be based on your assessment!
“High-Risk”
“…electronic transactions
involving access to
customer information or
the movement of funds to
other parties.”
Can you think of an electronic
transaction that doesn’t
involve access to customer
“High-Risk” Defined
•
“…electronic transactions involving access to
customer information or the movement of funds to
other parties.”
–
More customers are conducting online transactions
–
Not every online transaction poses same level of risk
“High-Risk” vs. “Higher-Risk”
“
…electronic transactions involving access to customer information
or the movement of funds to other parties.”
•
All on-line transactions defined as “high-risk,” but
some higher than others
•
Should NOT be based solely on retail vs. business
•
Reg E apply?
–
Retail transactions carry higher risk of loss to the bank (regulatory)
–
Commercial accounts not covered, but still carry greater risk
financial loss (legal)
The Truth
About RDC
Fraud Risk
The Truth about Remote Deposit Risk
•
While over 13% of checks are remotely deposited,
RDC items comprise only .01% of check fraud
reported to FinCen between 2005 and 2011.
•
There were “no real differences in the various
fraud and money laundering schemes perpetrated
through the RDC check deposit channel when
compared with the check deposits completed
through more traditional means.”
•
“Overall, RDC-related filings have been minimal,”
A Framework
for Layered
Security
Layered Security
•
According to the guidance, “layered security” is:
–
Multiple fraud prevention measures
–
Placed at different points in the transaction process
–
Deployed in a manner so that weaknesses in one
measure will be compensated for by other measures
•
To understand layered security, must understand
how three components interact:
–
The transaction process
–
Threat categories
The Transaction Process
•
These steps are required to create/process
transactions:
1.
A user logs in
2.
The user submits/authorizes one or more transactions
3.
The financial institution reviews and processes the
transactions
•
The FFIEC also includes administration activities, like
setting up users and configuring the system
•
Together, these steps make up the “transaction
process”
•
These steps are the “layers” on which your security
measures will be deployed
Threat Categories
•
Account Takeover
–
Fraud committed by external users who gain access to the
system with credentials stolen via phishing, malware, social
engineering, etc.
•
Trusted Entity Theft
–
Fraud committed by legitimate users (FI employees,
merchants, merchant employees, consumers) who “go bad”
•
Session Manipulation
–
Fraud committed by users or programs that “hijack” legitimate
user sessions and/or modify session data
Threats: Man-in-the-Middle (MITM)
•
Normally, user connects via Internet to online site
•
In MITM, fraudsters set up as a proxy in order to:
–
Steal credentials for use in future account takeover
–
Hijack user’s session to create their own parallel session
–
Manipulate transaction data sent in the legitimate session
Threats: Man-in-the-Browser (MITB)
•
During a Man-in-the-Browser (MITB) attack,
malware installed in the user’s browser may:
–
Steal credentials and deliver them to the fraudster for later
use in account takeover attacks
–
Capture data that allows launch of parallel session
–
Manipulate RT/Account Number data during the session
Why Are MITM & MITB So Dangerous?
•
MITM and MITB can defeat:
–
One Time Password Tokens
–
Browser Cookie
–
Picture or Text on Website
–
IP Geo-location
–
Device Fingerprinting
–
Phone or Email Out-of-Band Authentication
–
Virtual Keyboard
Threats and the Transaction Process
•
Each type of threat attacks one or more points in the
transaction process
•
Your risk assessment should identify how threats
attack the process used by each type of transaction
•
This will dictate how security should be deployed
Security Measures
21MFA: Adaptive
Authentication/Tokens
IP Address
Whitelisting
Day/Time Controls
Security Alerts
User Permissions
and Limits
Dual Control
Duplicate Detection
Merchant Velocity/
Daily Amount Limits
History/Reporting
Transaction Review
Payments
Dashboard
New Recipient
Validation
Transaction Monitoring
with Anomaly Detection
Example: ACH Account Takeover
Environment
Protection
MFA: Adaptive
Authentication/Tokens
IP Address
Whitelisting
User Permissions
and Limits
Dual Control
Merchant Velocity/
Daily Amount Limits
Processing Alerts
New Recipient
Validation
Transaction Monitoring
with Anomaly Detection
Account
Takeover
Transaction Type: ACH
History/Reporting
Transaction Review
Example: Trusted Entity Theft
23Duplicate
Detection
Dual Control
Merchant Velocity/
Daily Amount Limits
History/Reporting
Payments
Dashboard
Transaction Monitoring
with Anomaly Detection
Trusted Entity
Theft
Keying/Balancing
Transaction Type: Remote Deposit
Processing Alerts
A Layered Security Ex.: Session Manipulation
Environment
Protection
IP Address
Whitelisting
User Permissions
and Limits
Dual Control
Merchant Velocity/
Daily Amount Limits
Processing Alerts
(ACH Client)
New Recipient
Validation
Transaction Monitoring
with Anomaly Detection
Transaction Type: ACH
Layered Security: Administrative
25MFA: Tokens
Security Alerts
Dual Control
Transaction Monitoring
with Anomaly Detection
A Framework for Layered Security
•
Using this approach, banks can demonstrate
From the
Horse’s Mouth
Examiner Ex Cathedra (What He Said)
•
RDC transactions are not as “high risk” as ACH/Wires.
•
Bank’s payments risk assessment and customer
education are key to rigor of exam.
–
Examiners will key off the assessment (even if the assessment is
wrong and classifies all transactions as equally “high risk”.
•
Banks can make case that certain low-volume ACH/Wire
customers could be considered “moderate” risk if
transaction limits/ceilings in place and those ceilings are
commensurate with the FI’s risk tolerance (size of bank,
capital strength, liquidity, assets, etc.).
•
For small banks with very limited numbers of payments
customers, examiner recommends “low-tech”
authentication on high-risk transactions, e.g., call backs,
fax confirmations, even text message confirmations.
Examiner Ex Cathedra, cont’d
•
To simplify, instead of separate risk assessments for
FFIEC, IT, GLBA, RDC, banks should
–
(1) Combine their IT/GLBA assessment into one, and…
–
(2) combine RDC, ACH, Wires, and any other payment services
into one “enterprise-wide payments risk assessment” that
designates each payment type’s risk (high, moderate, low) and
justifies the FIs risk tolerance across all (a risk tolerance that
should be explicitly approved by the FI’s Board).
•
Examiners will not discriminate against one anomaly
detection solution over another.
Demonstrate
that You’re
Minding the
Store
The Risk Management Process
1.
Risk Identification - Identify assets to be protected, or source of
risk. To properly identify risks, a bank must recognize and
understand existing risks or risks that may arise from new business
initiatives. Risk identification should be a continuing process.
2.
Risk Assessment - Identify threats and vulnerabilities to assets,
evaluate the threat impact, & prioritize.
•
Inherent Risk
3.
Risk Management - Apply controls designed to:
•
Avoid/Eliminate
•
Reduce
•
Transfer
•
Retain (acceptable or residual risk)
Inherent vs. Residual Risk
•
Inherent risk – prior to the application of controls
–
Subjective based on objective criteria
–
Must be determined before controls applied
•
Residual Risk – after application of controls
–
“Acceptable” risk
–
Also subjective
• Basic Account Access
• Bill Payment
• Intrabank Transfers
• Interbank Transfers
• ACH Origination
• Wire Transfer
• Mobile Access
• Remote Deposit Capture
Risk Sources: Product Capability
• Anomaly Detection and Response (manual or automated)
o
Volume, Time-of-Day and Dollar Amount Thresholds
• Dual Authorization / Dual Control
• Multi-factor Authentication
• Out-of-Band Verification
• Positive-Pay, Debit Blocks (white lists)
• IP Blocks (black lists)
• Enhanced customer account maintenance controls
• Manual FI Transaction Approval
• Customer Education
• On-site Assessments
Risk Controls
Demonstrate
that You Aren’t
Complacent
Evolution of Risk: Remote Deposit
•
Right now, most banks rely on client risk
management (eligibility)
–
Difficult to qualify for RDC
–
Pay little attention to deposits once onboarded
•
Mainstreaming RDC will require different approach
–
Easier to qualify for RDC
–
Use deposit monitoring tools to control risk
The Payments
Risk
Assessment
“Right-sizing” Risk
“Right-sizing” Risk, cont’d
Commercial OLB Risk Assessment
Likelihood of Occurrence Potential Damage Inherent Risk Residual Risk
How likely is this threat to occur (without appropriate security controls in place)?
Medium
If the threat resulted in a security breach what kind of damage would
result? Loss of funds Identity Theft Likelihood of occurrence X Potential Damage Medium Remaining Risk-acceptable or unacceptable (unmanaged risk). Explain detail in mitigation strategy. Acceptable
Internet Based Financial Transaction Types
ACH Transfers, Wire Transfers, Mobile Banking, Remote Deposit Capture
Reasonably Foreseeable Internal and External Threats and Vulnerabilities to the Information Asset
Cyber criminal attacks such as phishing, social engineering, interception of transaction data, stolen data, resulting in corporate account takeover and identity theft
Controls in place to (P)revent and (D)etect Fraud
(P) Business employees educated on use of application(s), IT security standards and best practices, common fraud schemes and procedures for contacting the FI in case of suspected
security incident (P) Segregation of Duties; separate approval process; dual control utilizing two separate PCs.
(P) (D) Real-time anti-virus and anti-spyware, desktop firewall, malware detection and removal
software w/automatic updates and scheduled scans (P) PC not used to surf the web or email
(P) Procedures for logging off and leaving online banking PC unattended or not in use
(P) Spam filters in place and updated (P) Mgr to understand responsibilities and liabilities per account agreement
(D) Monitor and reconcile accounts daily (D) Discuss the options offered by the FI to detect or prevent out-of-pattern activity
(D) Note any changes in PC performance (D) Pay attention to warnings (D) Be on the alert for rogue emails (P) Scanned checks (RDC) retained for 14 days in locked cabinet and then destroyed by cross-cut
shredding.
Testing Methods, Frequency and Control Issues
FI will conduct periodic analysis of the fraud controls via self-assessment or onsite visit
Recommendations/Strategy to Mitigate Residual Risk
Ex. (P) Dedicated PC utilized for online banking services (not utilized for web browsing, emails and social networking
