About Us | Contact Us
View Cart

Customer Education Simplified

By Vigilize | Saturday, July 14, 2012 - Leave a Comment

Many banks are still unsure of what they should be doing to come into compliance with the FFIEC’s 2011 Supplement to the 2005 Guidance on Authentication in the internet banking environment.  This is true especially as the supplement relates to customer education.  

In fielding questions about this new examination checklist topic, I’m finding that several banks are missing an important point about this requirement of the Supplement.  Though we definitely want basic information security principles exuded in your communication with customers, be they retail or commercial, the supplement goes beyond that to require specific information be delivered.  Complying with this requirement will help your bank avoid awkward and sometimes costly problems due to a lack of customer awareness that not only stems from compliance risk, but also operation and reputation risk.


Customer Awareness:


If you’ve already acquired a copy of our Customer Awareness Kit, you know we suggest a three-step process.

  1. Categorize your customers so you can decide who should receive more robust education efforts.
  2. Then, decide what level of education you will provide to each category of customers, and
  3. Decide what information your customers need to know beyond the normal, “generic” information security best practice suggestions you are probably already providing via flyers, web pages, social media posts, etc.

STEP ONE:
The first step is to sort your customers by risk. A risk assessment on your customers can be as easy as High Risk = ACH Originators, Moderate Risk = Commercial, Low Risk = Retail/Consumer. But it should be documented and you should base your training decisions upon generic risk rankings of your customers. Some of our Clients are using their existing risk measurements that they performed for BSA. If this works, great!

STEP TWO:

Then, ask yourself, who gets more detailed treatment? What most of my Clients are doing is providing web information to low-risk customers, literature to moderate-risk customers, and one-on-one training to the high-risk customers.

Low and Moderate Risk Customers:  We’ve seen some banks work with their web designers to create splash ads on their on-line banking site. Other banks have relied primarily on flyers in the branch. The banks that seem to be leveraging their compliance-response into something of value are taking an integrated approach combining social media with splash-ads with literature.

High Risk Customers:  Most of our Clients are setting up one-on-one meetings between the customer and loan personnel, marketing personnel, or other customer-service personnel. These meetings are usually conducted using a checklist as a guide.  At our recent workshop on the subject of Awareness Training we learned that one-on-one training is working well with the banks that are already implementing it.  Our Customer Awareness Kit includes checklists, white papers, and other re-brandable flyers you can use to help in this endeavor.  For example, our  Commercial Customer Awareness Training Checklist not only serves as an agenda for a one-on-one meeting with your high-risk commercial customers, but also goes so far as to allow the ISO (or other appropriate individual) to “risk-rank” deficiencies.

As time passes, more advanced tools will be available.  We’ve seen banks leveraging digital video technology and using other more creative methods for this, and we intend to publish more information about these approaches somewhere down the road.  One of our Clients has parked a separate facebook page for commercial customers where they intend to provide links out to youtube videos.

You can daydream about those really cool delivery methods, but for now, examiners will find it sufficient to focus on the easiest methods.

STEP THREE:
Finally, decide what your high-risk customers need to know beyond security best practices. For example, the supplement states:

a) An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access;
b) An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials;
c) A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;
d) A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and,
e) A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.

Though the above five items seem to be self-explanatory, let’s take each of them one at a time so that we fully understand their implications:

a) Protections NOT provided: if you have a paper-trail documenting you have informed your commercial customers that they are NOT covered by the fraud provisions in Regulation E, you are in a much better position legally to not cover fraud losses due to mistakes your commercial customers may make.

b) Anti-social engineering:  The second bullet point is common sense that I hope you’ve already been doing: “we’ll never e-mail you a link asking you to go somewhere that will require login credentials.” (or, in the case of banks who e-mail statement notifications: “the only time we’ll e-mail you a link that requires login credentials will be when we notify you of your statement, and even then you should recognize the picture in the corner of the page or you could be at a phishing site.”

c)  Risk Assessment:  The third bullet point is where the federal government extends the eyes-and-ears provisions of BSA to make banks their voice as well. In other words, though the feds can suggestion non-regulated businesses conduct risk assessments, they can require you (the banker) to suggest it.

d) List of Controls: We think if you are providing your commercial customers with a list of controls they should consider you will be in good shape with your examiners. Again, this supplement is making you the voice of the federal government, so be sure to include the standard disclaimers you are used to hearing from your lawyers. This could be something to the effect of “Note: these controls may or may not apply to your specific situation. A qualified information security professional should be involved in the design of your security systems.”

e) Contact Names: Hopefully this is already all over your existing literature. If not, update your existing literature!

Of course, you should be documenting how you plan to implement this three-step process.  Our Customer Awareness Strategy not only serves as a great starting point in your documentation efforts, but it will also help your e-banking team make decisions as to how to provide you training.

We hope this article helps you in your efforts to address the last step of complying with the 2011 Supplement.  If you are already a Client of ours, please contact us for more information about  Customer Awareness Kit.

Latest News
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]