Business Account Guidance for Online Business Transactions
RISK ASSESSMENT and LAYERED SECURITY
New financial standards will assist banks and business account holders to make online banking safer and more secure from account take-over and unauthorized funds transfers.
Banks and Businesses Team Up for Security
As someone responsible for a business bank account, you will want to know that new supervisory guidance from the Federal Financial Institutions Examination Council (FFIEC) directed banks to strengthen their awareness and assure that business accounts are properly secured during money transfers of all kinds. FFIEC is the coordinating group that sets standards for the major financial industry regulator and examiners.
Understanding the Risks
FFIEC studies have shown that there have been significant changes in the threat landscape in recent years. Fraudsters, many from organized criminal groups, have continued to deploy more sophisticated methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts. For example, hacking tools have been developed and automated into downloadable kits, increasing their availability to less experienced fraudsters. As a result, online account takeovers and unauthorized funds transfers have risen substantially each year since 2005, particularly with respect to commercial accounts, representing losses of hundreds of thousands of dollars.
Enhanced Controls Protect Higher Risks
The FFIEC supervisory guidance addresses the fact that not every online transaction poses the same level of risk, recommending that financial institutions implement more robust controls as the risk level of the transaction increases. Online business transaction generally involve ACH file origination and frequent interbank wire transfer. Since the frequency and dollar amount of these transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its customer, according to the FFIEC. Thus banks are advised to implement security plans utilizing controls consistent with the increased level of risk for covered business transactions. These enhanced controls are designated to exceed the controls applicable to routine customer users. For example, a preventative control could include requiring an additional authentication routine prior to final implementation of the access or application changes. A detective control might include a transaction verification notice immediately following implementation of the submitted access or application changes. Based upon the incident the Agencies have reviewed enhanced controls over administration access and these functions can effectively reduce money transfer fraud.
Summary of Recommendations For Business Accounts
- Banks to urge business account holders to conduct periodic assessments of their internal controls
- Use layered security for system administrators
- Initiate enhanced controls for high dollar transactions
- Provide increased levels of security as transaction risks increase
- Offer customers multi-factor authentication
Layered Security for Increased Safety
Rocky Mountain Bank & Trust uses both single and multi-factor authentication, as well as additional “layered security” measures when appropriate. Layered security is characterized by the use of different points in a transaction process, so that a weakness in one control is generally compensated for by the strength of a different control. This allows RMB&T to authenticate customers and respond to suspicious activity related to initial login… and then later to reconfirm this authentication when further transaction involves the transfer of funds. For business accounts, layered security might often include enhanced controls for system administrators who are granted privileges to set up or change system configurations, such as setting access privileges and application configurations and/or limitations.
Internal Assessments at RMB&T
The new supervisory guidance offers ways for banks to look for anomalies that could indicate fraud. The goal is to ensure that the level of authentication called for in a particular transaction is appropriate to the level of risk in the application. Accordingly, your bank has concluded a comprehensive risk-assessment of its current methods as recommended by the FFIEC guidelines.
These risk assessments consider, for example:
- Fraud detection and monitoring systems that include consideration of customer history and behavior
- Dual customer authorization through different access devices; out-of-band verification for transactions
- Positive-pay, debit blocks, and other techniques to appropriately limit the transaction use of the account
- Transaction value thresholds, number of transactions allowed per day, and allowable payment windows (e.g. days and times)
- Internal protocol (IP) reputational based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities
- Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud
- Account maintenance controls over activities performed by customers either online or through customer service channels
If You Have Suspicions
If you notice suspicious activity within your account or experience security related events, you can contact anyone at RMB&T and you will be quickly and courteously guided to the person responsible for handling such issues.
101 East Main St. P.O. Box 579 Florence, CO 81226
Phone (719) 784-6316 | Fax (719) 784-4805
755 Cheyenne Meadows Rd. Colorado Springs, CO 80906
Phone (719) 579-7628 | Fax (719) 579-0780