18 Hoosier Banker May 2016 Continued from page 17. confirm your identity.” Then try to find a question that will prove the customer’s identity, relying on information that cannot be found in a lost wallet or purse or on social media, such as: • Amount of last deposit; • Amount of recurring deposits or payments; • Source of recurring deposits or payments; • Amount/date of automatic payments; • Predefined challenge questions; • Anything else that cannot be discovered in a lost wallet or purse, or on social media. Information such as date of birth, tax identification number, mother’s maiden name (easily found in social media sites), address and/or account number can be used to verify a member’s identity only if combined with out-of-wallet questions as defined above. The customer information listed above may not be shared with anyone outside of [Name * The term,“out-of-wallet questions” was not used until 2011, when the Federal Financial Institution Examination Council published the Supplement to the Authentication Guidance. Prior to that, information security professionals referred to these questions as “out-of-pocket questions,” a phrase still used by some other regulated industries. Michael A. Renninger Principal (317) 695‐7939 mrenninger@renningerllc.com Securities offered through Ausdal Financial Partners, Inc., 5187 Utica Ridge Road Davenport, IA, 52807 (563)326‐2064 Member: FINRA, SIPC. Renninger & Associates, LLC and Ausdal Financial Partners, Inc. are independently owned and operated. www.renningerllc.com "For an ���e���e��ssess�en��of Your Challenges and ����ess��nal���e����n�of Your �������n��es" of Financial Institution] without permission from your [Department Manager or Branch Manager]. If you cannot find a legitimate out-of-wallet question, there are only three options left: (1) call the customer back at a number on file at the bank, (2) require the customer to come into the branch, or (3) pass the customer along to your supervisor. Motivate and activate awareness. Every customer is different, and thus we must be flexible and creative in asking out-of-wallet questions. While information security officers should understand that this process is easier said than done, resist the impulse to create stock lists for employees. Instead, teach employees to engage their customers, for example by offering the “for your protection” explanation above. Another approach is to first say, “I’m sorry I don’t completely recognize your voice,” then begin with the “for your protection” phrase. To motivate your team to engage their customers, help them understand why they need to ask out-of-wallet questions. They need to see themselves as the gatekeepers of the information, and they must believe in the three words that should begin every engagement: “For your protection.” An effective way to both motivate and activate awareness is with ongoing pretext calling, where your audit firm makes calls to your offices throughout the year, and reports the results quarterly. Combining this effort with role-playing sessions will help your team members learn from each other while developing good habits and approaches. t
RkJQdWJsaXNoZXIy MTg3NDExNQ==