30 Hoosier Banker October 2014 Thus said the frustrated banker in response to what I call “the five bullet points,” from the Federal Financial Institutions Examination Council’s “Supplement to the 2005 Guidance on Authentication in an Internet Banking Environment.” The Supplement explain that bankers must communicate to customers: 1. An explanation of protections provided and not provided to accountholders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Reg. E to the types of accounts with Internet access; 2. An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials; 3. A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically; 4. A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risks, or alternatively, a listing of available resources where such information can be found; and, 5. A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events. Many of us have interpreted the Supplement to mean that banks may apply the messaging appropriately based on customer type and risk. For example, millennials aren’t likely to read a list of alternative controls, but they might read brief, layperson descriptions of controls – and they’ll almost certainly follow links to sleek sites about information security practices. Sort your customers. The simplest way to address the above requirement is to sort your customers into three classes: a. Customers initiating ACH originations or wire transfers via Internet banking are considered critical risk and will have a specialized, customized education program directed at them. Your bank may want to call upon them to help conduct risk assessment. b. Commercial customers and retail customers using bill pay with high balances are considered high-risk customers and will need targeted, specialized messages related to information security. Your bank may choose not to visit them, but instead will make sure they are receiving regular messaging Educate Your Customers About Information Security “If BSA made us the eyes and ears of the federal government, the Supplement makes us the voice.” – anonymous banker About the Author Dan Hadaway, CRISC, CISA, CISM, has been working with banks on their security awareness programs since he founded Infotex in 2000. As the managing partner of Infotex, a managed security service provider and a preferred service provider of the Indiana Bankers Association, he writes for Hoosier Banker, the American Bankers Association’s Compliance Magazine, BankNotes and other industry publications. Hadaway speaks regularly at conferences and conventions, and facilitates IBA’s annual IT Security and Risk Management Conference. OPERATIONS / TECHNOLOGY
RkJQdWJsaXNoZXIy MTg3NDExNQ==