Risk Assessment

New financial standards will assist credit unions and business account holders to make online banking safer and more secure from account hijacking and unauthorized funds transfers.

Whenever increased risk to your transaction security might warrant it, your credit union will have available additional verification procedures, or layers of control, such as:

  • Fraud detection and monitoring systems that include consideration of member history and behavior;
  • Dual member authorization through different access devices;
  • Out-of-band verification for transactions;
  • “Positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account;
  • Transaction value thresholds, number of transactions allowed per day, and allowable payment windows (e.g., days and times);
  • Internet protocol (IP) reputation-based tools to block connection to credit union servers from IP addresses known or suspected to be associated with fraudulent activities;
  • Policies and practices for addressing member devices identified as potentially compromised and members who may be facilitating fraud;
  • Account maintenance controls over activities performed by members either online or through member service channels.
  • Changes in the internal and external threat environment
  • Changes in the member base adopting electronic banking
  • Changes in the member functionality offered through electronic banking;
  • Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry.

Your credit union joins FFIEC and the financial regulatory agencies in strongly urging businesses account holders to conduct similar internal assessments to ensure the highest level of security possible for your transactions.

‘YOUR PROTECTIONS UNDER “REG E”

Credit unions follow specific rules for electronic transactions issued by the Federal Reserve Board known as Regulation E. Under the protections provided under Reg E, consumers can recover internet banking losses according to how soon they are reported. In general, these protections are extended to consumers and consumer accounts. Your credit union can provide additional details about how Reg E might affect your business account.

If you notice suspicious activity within your account or experience security-related events you can contact anyone at your credit union and you will be quickly and courteously guided to the person responsible for handling such issues.

Credit Unions and Businesses Team Up for Security

As someone responsible for a business credit union account, you will want to know that new supervisory guidance from the Federal Financial Institutions Examination Council (FFIEC) are helping credit unions strengthen their vigilance and assure that your business accounts are properly secured during money transfers of all kinds. FFIEC is the coordinating group that sets standards for the major financial industry regulators and examiners.

UNDERSTANDING THE RISKS

FFIEC studies have shown that there have been significant changes in the threat landscape in recent years. Fraudsters—many from organized criminal groups—have continued to deploy more sophisticated methods to compromise authentication mechanisms and gain unauthorized access to members’ online accounts. For example, hacking tools have been developed and automated into downloadable kits, increasing their availability to less experienced fraudsters. As a result, online account takeovers and unauthorized funds transfers have risen substantially each year since 2005, particularly with respect to commercial accounts, representing losses of hundreds of millions of dollars.

ENHANCED CONTROLS PROTECT HIGHER RISKS

The FFIEC supervisory guidance addresses the fact that not every online transaction poses the same level of risk, recommending that financial institutions implement more robust controls as the risk level of the transaction increases. Online business transactions generally involve ACH file origination and frequent intercredit union wire transfers. Since the frequency and dollar amounts of these transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its member, according to FFIEC. Thus credit unions are advised to implement security plans utilizing controls consistent with the increased level of risk for covered business transactions. These enhanced controls are designed to exceed the controls applicable to routine member users. For example, a preventive control could include requiring an additional authentication routine prior to final implementation of the access or application changes. A detective control might include a transaction verification notice immediately following implementation of the submitted access or application changes. Based upon the incidents the Agencies have reviewed, enhanced controls over administrative access and functions can effectively reduce money transfer fraud.

SUMMARY OF RECOMMENDATIONS FOR BUSINESS ACCOUNTS

  • Credit unions to urge business account holders to conduct periodic assessment of their internal controls
  • Use layered security for system administrators
  • Initiate enhanced controls for high-dollar transactions
  • Provide increased levels of security as transaction risks increase
  • Offer members multi-factor authentication