Online Banking - verification procedures

We are just now deciding how we are going to allow customers to sign up for our Online banking product. Are many of you allowing customers to enroll online? If so what procedures do you have in place to verify identity, how are you issuing PIN numbers? what are some issues that you have come across? This too could apply to allowing customers to fax or mail in applications. All comments would be appreciated.

We opted for the KISS method, e.g. no application - new users are directed to internet banking through the disclosure page and must go through a new user access page to immediately change their user name and password from their account number and last four digits or their SS number (assigned at the system level). Our product only allows customers to view balances, statements, transfer between accounts, and download statement data - no outside payments, so it's low risk at this point. We passed an FDIC internet banking audit, so the KISS methods works and fits with regulatory guidelines.

Sounds like our systems are the same as far as functional capabilities. But I am a little confused about what the KISS method is? We too are FDIC regulated so I am very interested to know specifics about how your exam went. For example, what were their main areas of interest or critisisms? What policies/procedures did they ask for?

KISS - Keep It Simple Stupid

Of course, KISS is Keep It Simple Stupid! This method is favored by customers and with the internet, simple is best as, based on our experience, there are a lot of people out there that find it difficult to read instructions.

Anyway, here's the internet banking FDIC questions/issues:

ELECTRONIC BANKING (E-BANKING)
Due diligence reviews of third party providers, contractors, support vendors, other parties.

Contracts/agreements with vendors, customers, third-parties, etc.

Insurance policies covering e-banking activities such as blanket bond, liability coverage, errors and omissions, and any riders relating to e-banking.

Strategic plan and feasibility studies (cost/benefit analysis), test plans and results, deployment plans and reviews relating to e-banking activity.

Provide all e-banking related policies. In the following space note when the Board last reviewed and approved e-banking policies.

Bank’s back-up/contingency planning for e-banking platforms.

E-banking training (for example products, services, informational) schedule with dates, attendees, and topics.

We secured an ebanking insurance policy just in time and the only issues mentioned (not cited) were that we should have a disclaimer covering the non-private nature of email and direct access to our privacy statement from the ebanking page. By the way, we informed the FDIC that we didn't plan to backup ebanking as it is not consider vital.

You will need to to consider the disclosure & opt-in requirements of ESIGN if your online signup steps trigger written disclosures under any of the regs (E, DD, CC, etc.) and you cannot or will not send paper forms.

Richard:

Since internet banking customers already have recieved disclosures relating to opening an account, do we need to re-disclose the regs noted by you - we do not allow anyone to open an account on the web - just view their transactions and transfer between accounts?

Yes, KISS is becoming a standard, but that will be small comfort when the frauds start. Another acronym might be KIWO Keep it Wide Open.

The transaction risk for KISS may be low, but the privacy risk of unauthorized persons accessing account information is not. How hard is it to get the account number and social security number of an elderly relative? They likely have never accessed the internet banking site, so the the default user and password is ther for the taking.

As to accessing the relative's funds, the perpetrator simply asks the elderly relative to be the second name on the perpetrator's own account for "convenience while I am traveling", then makes the online transfers from the elderly relative's account to the perpetrator's joint account, and away the money goes.

I'm not sure I see your point, as the owner of an account can easily add someone to their account, separate from internet banking. A customer cannot transfer funds out of one of their accounts, only between accounts that they own, so the risk does not multiply simply because an account number and SS is used an the initial sign in. In order to get funds out of an account, the person would have to be a signer and sign a check, or sign for a wire, etc. There is logic and risk at work here and a reasonable interpretation of the risk is that this is a logical, low-risk situation.

Yes, someone can relatively easily secure an account number and SS number, but what can they do beyond that that causes a high level of risk?

Of course, if bill payment is added - that would be a new ball game.

Your earlier post says, "Our product only allows customers to view balances, statements, ***transfer between accounts***, . . .

So, the perpetrator accesses the victim's online accounts, and transfers money from the victim's account to the joint account [perpetrator added as second name], with no signature needed. Now the perpetrator has the victim's money in the perpetrator's account, and may further remove it anytime by check, transfer, wire, etc. Since your system keys off the social security number, and the victim's social security number is on the perpetrator's account, the transfer can be done at will.

Redisclosure is never necessary, but sometimes "adding Internet banking service" equates to adding an new access device (online payments) and new Reg E disclosures are needed.

You may be confused, but perhaps its the way I stated the options - transfers between accounts is only between accounts that belong to the owner, not some other customers accounts - if that were true you would be correct. What you are thinking may happen is mission impossible under this internet banking scenario, but may be true under other scenarios. So, logic once again wins!

Since Reg E is disclosured as part of the sign in process covering new users, we appear to be covered - but thanks for the input.

Logically, my scenario requires that the victim has been induced to add his own name to the perpetrator's account as a **joint owner**. Therefore, the accounts "owned" by the victim include the perpetrator's account. Thus, the perpetrator, having gained fraudulent access to the victim's accounts through the internet banking system, may transfer the victim's funds to their "joint account". The perpetrator then may remove the funds by withdrawal, by check, by wire transfer, etc.

I repeat, the perpetrator does have the ability to transfer funds from the victim to himself because they have a joint account.

In our bank, transfers between accounts can only be between accounts with similar ownership. So John can move money between John's accounts, but not to his joint account with Jane. That takes a higher level of access and a higher security procedure.

For funds to actually leave John's ownership, he has to have signed a form allowing this.

You are correct under your specific scenario, but it's not an internet banking scenario as it centers on new accounts and/or adding signatures to accounts. Yes, your scenario can happen, but it has nothing directly to do with internet banking security.

I'm still figuring this system out. I posted my response under E-Banking.