Many banks are still unsure of what they should be doing to come into compliance with the FFIEC’s 2011 Supplement to the 2005 Guidance on Authentication in the internet banking environment.  This is true especially as the supplement relates to customer education.  

In fielding questions about this new examination checklist topic, I’m finding that several banks are missing an important point about this requirement of the Supplement.  Though we definitely want basic information security principles exuded in your communication with customers, be they retail or commercial, the supplement goes beyond that to require specific information be delivered.  Complying with this requirement will help your bank avoid awkward and sometimes costly problems due to a lack of customer awareness that not only stems from compliance risk, but also operation and reputation risk.

Customer Awareness:

If you’ve already acquired a copy of our Customer Awareness Kit, you know we suggest a three-step process.

1. Categorize your customers so you can decide who should receive more robust education efforts.
2. Then, decide what level of education you will provide to each category of customers, and
3. Decide what information your customers need to know beyond the normal, “generic” information security best practice suggestions you are probably already providing via flyers, web pages, social media posts, etc.

STEP ONE:
The first step is to sort your customers by risk. A risk assessment on your customers can be as easy as High Risk = ACH Originators, Moderate Risk = Commercial, Low Risk = Retail/Consumer. But it should be documented and you should base your training decisions upon generic risk rankings of your customers. Some of our Clients are using their existing risk measurements that they performed for BSA. If this works, great!

STEP TWO:

Then, ask yourself, who gets more detailed treatment? What most of my Clients are doing is providing web information to low-risk customers, literature to moderate-risk customers, and one-on-one training to the high-risk customers.

Low and Moderate Risk Customers:  We’ve seen some banks work with their web designers to create splash ads on their on-line banking site. Other banks have relied primarily on flyers in the branch. The banks that seem to be leveraging their compliance-response into something of value are taking an integrated approach combining social media with splash-ads with literature.

High Risk Customers:  Most of our Clients are setting up one-on-one meetings between the customer and loan personnel, marketing personnel, or other customer-service personnel. These meetings are usually conducted using a checklist as a guide.  At our recent workshop on the subject of Awareness Training we learned that one-on-one training is working well with the banks that are already implementing it.  Our Customer Awareness Kit includes checklists, white papers, and other re-brandable flyers you can use to help in this endeavor.  For example, our  Commercial Customer Awareness Training Checklist not only serves as an agenda for a one-on-one meeting with your high-risk commercial customers, but also goes so far as to allow the ISO (or other appropriate individual) to “risk-rank” deficiencies.

As time passes, more advanced tools will be available.  We’ve seen banks leveraging digital video technology and using other more creative methods for this, and we intend to publish more information about these approaches somewhere down the road.  One of our Clients has parked a separate facebook page for commercial customers where they intend to provide links out to youtube videos.

You can daydream about those really cool delivery methods, but for now, examiners will find it sufficient to focus on the easiest methods.

STEP THREE:
Finally, decide what your high-risk customers need to know beyond security best practices. For example, the supplement states:

a) An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access;
b) An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials;
c) A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;
d) A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and,
e) A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.

Though the above five items seem to be self-explanatory, let’s take each of them one at a time so that we fully understand their implications:

a) Protections NOT provided: if you have a paper-trail documenting you have informed your commercial customers that they are NOT covered by the fraud provisions in Regulation E, you are in a much better position legally to not cover fraud losses due to mistakes your commercial customers may make.

b) Anti-social engineering:  The second bullet point is common sense that I hope you’ve already been doing: “we’ll never e-mail you a link asking you to go somewhere that will require login credentials.” (or, in the case of banks who e-mail statement notifications: “the only time we’ll e-mail you a link that requires login credentials will be when we notify you of your statement, and even then you should recognize the picture in the corner of the page or you could be at a phishing site.”

c)  Risk Assessment:  The third bullet point is where the federal government extends the eyes-and-ears provisions of BSA to make banks their voice as well. In other words, though the feds can suggestion non-regulated businesses conduct risk assessments, they can require you (the banker) to suggest it.

d) List of Controls: We think if you are providing your commercial customers with a list of controls they should consider you will be in good shape with your examiners. Again, this supplement is making you the voice of the federal government, so be sure to include the standard disclaimers you are used to hearing from your lawyers. This could be something to the effect of “Note: these controls may or may not apply to your specific situation. A qualified information security professional should be involved in the design of your security systems.”

e) Contact Names: Hopefully this is already all over your existing literature. If not, update your existing literature!

Of course, you should be documenting how you plan to implement this three-step process.  Our Customer Awareness Strategy not only serves as a great starting point in your documentation efforts, but it will also help your e-banking team make decisions as to how to provide you training.

We hope this article helps you in your efforts to address the last step of complying with the 2011 Supplement.  If you are already a Client of ours, please contact us for more information about  Customer Awareness Kit.