How are federal regulators revisiting their guidance on authentication for online banking?
The FDIC is leading an interagency staff working group to go back and look at the guidance, which we originally issued in 2005, to figure out whether or not the guidance needs updating or whether the agencies need to speak again on this topic in some other way, shape or form. We are taking a look at it and figuring out whether we need to do anything and if so, what exactly is necessary. No decisions have been made at this point, but we are well into this process. When did the process start?
This past fall. What's driving this effort?
After the guidance was issued and became effective, we did see a decline in account takeover fraud, which was among the types of fraud the guidance was intended to put a lid on. Unfortunately, lately we've seen an uptick in that type of fraud and we've become concerned that while the guidance required banks to do regular risk assessments and to upgrade, as required, the types of authentication they used, in many cases banks aren't doing that. They put into effect whatever authentication they put in at the beginning of 2007 and it hasn't been upgraded or improved since then even though the guidance requires it. We're thinking that we need to go back and update the guidance or talk to banks about this to reiterate that this isn't a static thing -- you don't put a certain authentication control into effect and forget about it for a couple of years. You have to regularly do a risk assessment and figure out whether what you put in place last year, for example, still meets the guidance. In general, how did banks respond to the initial guidance?
The guidance wasn't prescriptive in that it didn't tell banks precisely what technology controls they were required to use. It took the opposite approach, which was to lay out certain technologies and controls that would no longer be considered sufficient, but give them latitude to try different things and put in a variety of controls, any of which might be sufficient. For retail Internet banking, what most banks did was some form of device authentication, where the consumer's PC becomes the second factor of two-factor authentication. … The consumer would put in their login ID and password, and the bank would verify that the computer the consumer was logging in from is in fact the one initially enrolled in the Internet banking system. What we've found in the last year is there are stronger ways to do device authentication and there are weaker ways to do device authentication. We know for certain that the fraudsters and hackers have become much smarter and more sophisticated and they have developed ways to defeat a lot of the controls that were put in place at the beginning of 2007. We're concerned that some banks haven't upgraded these controls to make them more resistant to what hackers and fraudsters are now doing. A lot of these attacks have been on small and midsize businesses, right?
The agencies have made no decision on this. This is a staff working group that's discussing and bouncing around a variety of ideas. The group would have to come to an agreement about what it wants to do and the principals of each agency would each have to approve any recommendation that's made by the working group before anything is published. That being said, there are a variety of ways to approach it. One would be an update to the guidance; in our case, the guidance was issued as a financial institution letter. We could issue another FIL that would update the guidance and lay out our concerns to the extent that there are now security measures we no longer consider to be in compliance. Another method would be an FAQ document; we did one in August 2006 because we got a lot of questions about the guidance when it initially went out. We could do some sort of other publication issuance, where we talk about further interpretation, elaborating on the guidance.
The key factor is we'd want to do a couple things. We might want to lay out specifically to bankers if there are certain controls that were in compliance with the guidance back in 2005, but will no longer be considered to be in compliance now. Number two, we might want to stress the idea that the banks' obligation to do these regular risk assessments is to be ongoing and banks need to pay particular attention to that part of the guidance. We also might also want to discuss some of the new technologies and techniques we're hearing about that might be considered more effective in preventing account takeover -- make sure banks are aware of these technologies and talk about how they could be used to meet the requirements of the guidance.
Can you elaborate on the new technologies?
A lot of the problems we've seen, especially in the small and midsize business accounts, are due to malware and Trojans that steal passwords and allow the fraudsters to log on to the bank's system, pretending to be the customer. When the guidance was originally written, password- stealing malware wasn't very common; it wasn't something we dealt with or spent a lot of time talking about. It's unfortunately much more common, more effective and much easier to use; you don't have to be a particularly skilled hacker to get one of these programs and install it on a victim's machine. There are now antimalware programs out there that might offer some additional protection. I alluded earlier to the idea that there are more effective ways do to device identification. We might want to talk in more detail about what we consider to be less effective ways, for example, loading a cookie on a customer's machine. That's really very easily compromised these days; hackers can steal cookies and load them on their machines. Have you met with banks about revisiting the guidance?
Yes, we've been meeting with not just banks but all the stakeholders in the process. We have met with small bankers, large bankers, trade associations, vendors and technology service providers. Anyone who operates in this space, we have met with them in an informal, off-the-record way to gather information so we can in turn do the best possible job in terms of writing the best possible guidance or update or whatever the document turns out to be. You can't do that unless you know what's going on in the real world. We've been in the fact-gathering stage since the fall. That's coming to closure now. Do you have a timeframe for wrapping up the project?
Sooner than later. I heard that the FDIC was holding some type of meeting in May related to this topic.
The FDIC is hosting a forum on payments fraud in the beginning of May in Arlington, Va. I will moderate a panel that will focus on this authentication issue. We probably will be starting to publicize this relatively soon. … My understanding it will be open. There will be a limited number of seats based on room it's being held in. We will have some online registration [for attendees] to secure a spot. Overall, how important is this issue of online banking fraud to regulators?
It's important for a number of reasons. First, we don't want to see customers or banks lose money to fraud. Secondly, we don't want customers, be they consumers or commercial customers, to lose faith in these electronic payment delivery channels. Banks have spent a considerable amount of money and time developing them, and they are a very cost-effective way to deliver services to customers. To the extent that customers lose faith in them -- that's not a good thing for anyone. We are concerned about this. We want to do the right thing. We don't want to do this precipitously. That's why we've spent a considerable amount of time meeting with people and gathering information. Sometimes regulators don't move as quickly as people would like, but we try to err on the side of being conservative and doing the right thing and making sure we've dotted all the I's and crossed all the T's before we speak on these topics.