FFIEC Supervisory Guidance
Online Banking Authentication & Layered Security
Important facts about account access
Multi-factor authentication and layered security are helping assure safe Internet transactions for banks and their customers.
The Federal Financial Institutions Examination Council (FFIEC) has issued supervisory guidance titled “Authentication and Access to Financial Institution Services and Systems” to help banks strengthen their risk assessment practices and make sure that the person signing into your account is actually you. This supervisory guidance was compiled by financial and cyber-security experts to make online transactions of virtually all types safer and more secure — now and into the future.
Understanding the factors
Online security begins with the authentication process, used to confirm that it is you, and not someone who has stolen your identity. Authentication generally involves one or more basic factors:
Single factor authentication uses one of these methods; multi-factor authentication uses more than one, and thus is considered a stronger fraud deterrent. When you use your ATM, for example, you are utilizing multi-factor authentication: Factor number one is something you have, your ATM card; factor number two is something you know, your PIN.
To assure your continued security online, your bank uses mostly multi-factor authentication, as well as additional “layered security” measures when appropriate.
Layered security for increased safety
Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. An example of layered security might be that you follow one process to log in (user/password), and then give additional information to authorize funds transfers.
The purpose of these layers is to authenticate customers and detect and respond to suspicious activity.
Layered security can substantially strengthen the overall security of online transactions and protecting sensitive customer information.
Internal risk assessments at your bank
The goal is to ensure that the level of authentication called for in a particular transaction is appropriate to the transaction’s level of risk. Accordingly, your bank conducts comprehensive risk assessments of its current methods and considers, for example:
This FFIEC Guidance addresses the expanded threat landscape and with banks will determine the appropriate authentication and layered security systems.
Enhanced controls for higher risks
Whenever increased risk to your transaction security might warrant it, your bank might use additional verification procedures, or layers of control, such as:
Your protections under “Reg E”
Banks follow specific rules for electronic transactions issued by the Federal Reserve Board. Known as Regulation E, the rules cover all kinds of situations revolving around transfers made electronically. Under the consumer protections provided under Reg E, you can recover internet banking losses according to how soon you detect and report them.
Here is what the Federal rules require: If you report the losses within two days of receiving your statement, you can be liable for the first $50. After two days, the amount increases to $500. After 60 days, you could be legally liable for the full amount. These protections can be modified by state law or by policies at your bank, so be sure to ask your banker how these protections apply to your particular situation.
Customer vigilance: The first line of defense
Of course, understanding the risks and knowing how fraudsters might trick you is a critical step in protecting yourself online. You can make your online banking experience safer by installing and updating regularly on all your devices:
You can also learn more about online safety and security at these websites:
If you have suspicions
If you notice suspicious activity within your account or experience security-related events please contact your bank. Never use a telephone number that was offered on an email, text or telephone message. And remember your bank will never ask you to provide your account information — they already have it.
© FINANCIAL EDUCATION CORPORATION