Who's Who Online
by Mary Beth Guard
There's a famous cartoon from back in 1994 or 1995 that shows two canines sitting side by side at a computer, one obviously instructing the other. The caption reads, "On the Internet, no one knows you're a dog." For bankers offering online services, it's a scary reminder that knowing exactly who you're dealing with can be quite a challenge.
How do you know your customers in cyberspace? How do you enforce anti-money laundering provisions, detect and reduce identity theft, and prevent fraud? Reliable customer authentication is essential.
Perhaps your institution is not currently allowing accounts to be opened over the Web, or loans to be applied for online, but it's only a matter of time. When an individual initiates a transaction online, he wants to be able to finish it online. Customers get annoyed when they have to resort to off-line processes to be able to engage in online transactions. Your task is to determine how you can safely gain new customers electronically and minimize your risks in dealing with established customers in electronic transactions.
In the FFIEC's recently released guidance, "Authentication in an Electronic Banking Environment", the regulatory authorities provide information about five different authentication tools and methodologies financial institutions can use to authenticate customers:
- Passwords and personal identification numbers (PINs)
- Digital certificates - These are used to verify that users sending a message are who they claim to be.
- Public key infrastructure -- A system of digital certificates, certificate authorities, and other registration processes used to verify and authenticate the validity of each party involved in an electronic transaction.
- Tokens - Small physical devices that are usually used in conjunction with a password to gain entry to a computer system.
- Biometrics - Authentication techniques that rely on measurable physical characteristics that can be automatically checked. Examples include computer analysis of fingerprints or speech. addresses the verification of new customers and the authentication of existing customers in an electronic banking setting.
The Appendix to the Guidance contains fairly detailed information about each of the authentication methods. The regulators do not endorse any particular technology or method of authentication. Their goal is to provide you with data that will help enable you to make a prudent choice of method to use.
In addition to background information on authentication, the Guidance includes a discussion of appropriate risk assessments, authentication of new customers, authentication of established customers, and monitoring and reporting.
If you are offering any type of electronic banking, you'll need to delve into this Guidance to see how your current authentication systems fare under it. While it may not be your job to implement the authentication systems, a good compliance officer will see to it that they are actually in place.
Assess the level of risk posed by a particular application. Do you offer data aggregation? Online banking? Electronic bill payment? Internet-originated wire transfers? Other forms of electronic banking? The level of authentication used in a particular application should be appropriate to the level of risk in that application. In determining the level of risk, look at whether the application is used by retail or commercial customers, the size and volume of transactions, the transactional capabilities, and the sensitivity and value of the stored information.
Take your cues from what is "commercially reasonable" in light of the reasonably foreseeable risks in the application, but keep in mind that what is considered commercially reasonable will change over time as technologies and threats evolve. You can't do your research initially, make a choice, then rest on your laurels. This is an area where someone in the institution must stay abreast of new risks and new technological offerings.
While so-called "single factor authentication tools" (which would include passwords and PINS) have been accepted in the past as commercially reasonable for certain retail ebanking activities, such as account inquiry, bill payment and aggregation, the increasing threat of hackers compromising less robust single factor techniques may mean that single factor authentication alone is not sufficient (i.e., commercially reasonable) for high risk applications and transactions and either multi-factor techniques or tiered single factor systems may instead be necessary.
A tiered single factor authentication system would include the use of multiple levels of a single factor. For example, it could use two or more passwords or PINs used at different points in the authentication process.
The goal of the authentication process with existing customers is to limit unauthorized access. A secondary goal to establish a foundation for enforcing electronic transactions and agreements. You will need to be able to validate the parties to the transaction and the parties' agreement to the transaction's terms, establish the authenticity of the records of the transaction, and establish the integrity of the records - i.e., that they have not been altered.
Verifying the Identity of New Customers
Unlike a face-to-face transaction where the customer is sitting across the desk from you, an online account opening requires you to verify customer identity in a whole new way, whether it's a business customer or an individual. Reliance on traditional forms of paper-based authentication is reduced dramatically and reliable alternative methods must be utilized.
FFIEC points to three ways to verify personal information in the online environment: positive verification; logical verification; and negative verification. These should be supplemented with traditional methods. You will still need to obtain copies of relevant identification documents and incorporation (or other business establishment) papers.
With positive verification, you are attempting to ensure that important information provided to you by an applicant matches data from trusted third-party sources. One example would be to compare the information given by the online applicant with information contained in a credit report, or information contained in a third-party database designed specifically for positive verifications.
Logical verification techniques look for internal consistency. For example, does the zip code match the address that is being given? Does the telephone number match the address?
Use negative verification to compare the information being given with information associated with previous fraudulent activity. Is the address one that was associated with a fraud loss? Does the applicant's name raise any red flags due to association with prior fraud?
One other possibility would be to rely on a third party to verify the identity. This could be done, for example, by accepting an electronic credential, such as a digital certificate, that has been issued by a trusted third party as a means of enabling the applicant to prove his identity. If you go this route, you will need to apply appropriate due diligence to the third-party credential-issuer to ensure the level of authentication it is using is adequate.
Ongoing Customer Dealings
You must also have appropriate systems for authenticating existing customers who want to access your online banking system. The authentication methods detailed above (from passwords and PINs to physical devices) are all possibilities.
Educate your customers about their responsibilities. In the offline world, bankers have traditionally cautioned customers to safeguard their check stock, guard their facsimile signature devices, promptly review their statements. In the online world, customers must be trained to employ an additional set of precautions, such as guarding their passwords or PINs, and maintaining control of their physical access devices.
Monitoring and Reporting
In hacker movies, the brilliant computer geek becomes "at one" with his machine and can sense the presence of an intruder in his digital realm. Thank goodness, we don't all have to possess a cyber sixth sense. There are tools that can detect unauthorized access to computer systems and customer accounts.
The regulators suggest you employ an authentication system with audit features that can assit you in detecting:
Unusual activities, such as money laundering
Compromised passwords; or
Other unauthorized activities
These audit logs can not only enable you to detect intrusions and spot unauthorized activities, they can also help reconstruct events and promote employee and user accountability. They can show who did what - and when. If an employee is treading where he shouldn't a hacker tracker can find his trail.
If information on the audit logs reveals a computer intrusion of the type described on the Suspicious Activity Report instructions, you can use data from the logs to help you complete and file the required SAR.
There are other controls you can employ as well. Software that understands a customer's typical transaction patterns could alert you to activity outside the norm. You could establish preset limits for certain types of electronic transactions so that manual intervention - and an astute observer - is required for transactions that exceed that limit.
It's also possible to see where electronic activity is coming from by looking at the IP (Internet Protocol) address of the site visitors. If the majority of your customers are located in your state (maybe even your town) and the IP addresses are from foreign countries you couldn't pass a geography exam on, something's up - and this type of IP monitoring will help you to know about it.
Don't forget about former users. Whether it's a customer who no longer has access privileges, a former authorized signer on an account who has had his rights terminated, or an ex-employee, user account access should be timely and properly modified.
Originally appeared in the Oklahoma Bankers Association Compliance Informer.
First published on BankersOnline.com 12/10/01
First published on 12/10/2001