Office of Examination & Insurance Report
NEW INTERNET AUTHENTICATION GUIDANCE ISSUED
NCUA along with the other Federal Financial Institutions
Examination Council (FFIEC) agencies have issued Internet
authentication guidance. The following questions and
answers discuss key parts of the FFIEC guidance.
Q: What concerns does NCUA have for the industry when it
comes to online authentication and why?
A: NCUA is concerned that electronic member transactions be
adequately protected and that credit union members can rely
on the safety of their funds in credit unions. Electronic access
and movement of funds is increasing at a fast pace in the credit
union industry. At the same time, the risk threat of these
transactions continues to grow. This means that credit unions
should continue to reevaluate security protocols and
authentication techniques and consistently raise defenses with
the rising level of risk. This protection can occur through many
avenues. We believe that strong layered, multifactor
authentication methods help prevent unauthorized access to
personal member information and funds.
Q: What expectations will examiners have for credit unions once
they begin focusing on provisions of the guidance in January?
A: Examiners expect credit unions to employ appropriate best
practices consistent with their level of risk. The authentication
guidance provides a foundation for best practices. Examiners
will discuss the supplemental guidance and plan for
conformance with their credit unions. Credit unions should
consult with applicable vendors in formulating plans for
compliance. The credit union must perform a risk assessment
and document the results, detailing timelines and effective
strategies for mitigating risks.
Q: Will other factors be considered when examiners look into
online authentication policies and procedures at credit
unions? What might those factors be? Updating/adopting new
technologies can be expensive, and credit unions are still
dealing with a struggling economy and other pressures.
A: NCUA is sensitive to the financial challenges credit unions
face from weak economic conditions, but credit unions must
ensure they have taken appropriate measures to protect their
members by becoming hardened targets on the electronic front.
Examiners will apply sound judgment when reviewing plans
for compliance. Factors will include the types of electronic
services provided by credit unions, types of accounts offered
to members, plans to change electronic banking products or
vendors, and actual incidents of security breaches, identify
theft, and fraud experienced by credit unions. Ultimately, the
expectation is for credit unions to achieve compliance with the
FFIEC guidance in a reasonable timeframe.
Q: The guidance notes financial institutions should conduct risk
assessments of online banking programs every 12 months.
What will examiners look for with respect to this provision?
A: A credit union should perform, review, update, and
document a risk assessment as new information becomes
available, prior to implementing new electronic financial
services, or at least every 12 months. The risk assessment
should cover all forms of electronic banking, not just Internet-based transactions. Mobile banking is a good example. The
risk assessment should consider all internal and external
threats that could result in account takeover, unauthorized
access to member information, and unauthorized fund
transfers. Threat examples include, but are not limited to,
authentication weaknesses, web application vulnerabilities,
key-logging malware, rootkit-based malware, plus man-in-the middle and man-in-the-browser attacks.
Q: The guidance also says that financial institutions should
implement more robust controls for high-risk, online banking
transactions. What kind of controls is NCUA looking for credit
unions to adopt or update? Please provide a couple of examples.
A: Commercial accounts involving large dollar, ACH or wire
transfer activity are high-risk. NCUA expects implementation
of multifactor authentication and layered security controls.
True multifactor authentication requires the use of solutions
from two or more of the three categories of factors addressed
in the 2005 authentication guidance, which are:
; Something the user knows (e.g., password, PIN);
; Something the user has (e.g., ATM card, smart card,
one-time password tokens); and
; Something the user is (e.g., biometric characteristic,
such as a fingerprint).
Examples of layered security controls include dual
authorization and using out-of-band verification for
transactions. The FFIEC supplemental guidance lists a
number of other examples, and NCUA’s expectations are not
different from those provided.
Q: What kinds of administrative/corrective actions might
credit unions expect if they are not operating in line with
the guidance?
A: Examiners will use their judgment to evaluate the plan for
compliance. If weakness is significant, examiners will reach
written agreements with credit union officials in a Document
of Resolution (DOR). If the examiner does not believe a DOR
is necessary, then the examiner will address noncompliance in
the Examiner’s Findings section of the report.
Q: What should credit unions do to prepare for the guidance
effective date? Is there a checklist or resources for credit
unions to turn to?
CONTINUED ON PAGE 11
