Every day, we trust financial institutions with both our money and very sensitive personal information. Authentication is a critical need for financial institutions to maintain security and protect every individual’s account from unauthorized access. Whether this access results in active fraud or consumer data breaches, the result is costly in both money and brand reputation.
Now, think about all the different ways you can possibly engage with your financial institutions—walk into a branch, engage online, log into a mobile app, interact with an ATM or kiosk, or simply call them. Much of the time, these different applications and systems authenticate in different ways, and while one system may be strong, another may be prone to breaches. Efforts to enable faster authentication are often associated with reduced security, and reduced security makes it easier for someone to steal credentials, mine data, and commit fraud. The main problem financial institutions face, however, is not simply authentication and layered security. The real problem is a lack of unity and consistency coupled with the challenge to manage the complexity of securing multiple users across diverse environments. Enter the FFIEC.
What is the FFIEC?
The Federal Financial Institutions Examination Council (FFIEC), established in 1979, is a formal interagency body with a key goal of making recommendations to promote uniformity in the supervision of financial institutions. The FFIEC is empowered by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau.
The FFIEC is responsible for developing uniform principles, standards, and reporting systems for federally supervised financial institutions, their holding companies, and the nonfinancial institution subsidiaries of those institutions and holding companies. It conducts schools for examiners employed by the five federal member agencies represented on the FFIEC and makes those schools available to employees of state agencies that supervise financial institutions.
The FFIEC’s Latest Authentication Guidance
In August 2021, the FFIEC issued the “Authentication and Access to Financial Institution Services and Systems” Guidance to replace “Authentication in an Internet Banking Environment” and the “Supplement to Authentication in an Internet Banking Environment” issued by the FFIEC in 2005 and 2011, respectively. The Guidance reinforces the need for financial institutions that use Internet or mobile cellular network communications for providing customers with banking services or transactions to effectively authenticate users and customers as part of their information security program.
The new Guidance identifies some of the latest risks and considerations for financial institutions to tackle, including:
- The more extensive cybersecurity risk landscape necessitating layered security;
- The importance of monitoring, activity logging, and reporting processes and controls;
- The existence of bad actors focused on social engineering techniques and call center weaknesses and the usefulness of risk mitigation tools to establish effective call center controls and combat threat actors;
- The weakness of single factor authentication and the value of biometric identifiers;
- The importance of reliable identity verification methods.
How does the FFIEC enforce this Guidance?
While the FFIEC itself does not itself have any enforcement authority, the regulators comprising its board of governors, including the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Consumer Financial Protection Bureau refer to FFIEC standards, handbooks and guidance when performing examinations.
If a regulator is engaged in an audit, examination, or investigation pursuing a complaint, the regulator may look to compliance with the Guidance as evidence of the reasonableness of the actions taken by the financial institution. Moreover, the failure of a financial institution to implement appropriate controls may expose the institution to potential loss from fines and penalties issued by its primary regulator as well as from consumer litigation. Therefore, it is important for these financial institutions to be aware of and make efforts to comply with the Guidance.
How can Pindrop help?
Pindrop’s solutions are designed to provide the opportunity for organizations to create and improve upon multi-layered security controls, like multi-factor authentication. For financial institutions, Pindrop’s solutions can help address the considerations highlighted in the Guidance in several ways, including:
- Layered approach to security: Pindrop solutions use a multi-factor authentication approach, including voice (Something You Are), device (Something You Have), network analysis (Something You Have), behavior-keypress analytics (Something You Are) and other factors such as risk to help financial institutions to identify potential fraudsters and to give financial institutions additional tools to help them verify genuine customers.
- Bad actors focused on social engineering and call center weaknesses: Pindrop’s call center authentication and fraud solutions are uniquely positioned to address manipulative social engineering techniques by leveraging patented technologies like its Deep VoiceⓇ Engine.
- Ability to help the institution monitor, log activity, and report potential suspicious activity: Pindrop offers solutions that provide account risk analytics based on call data that help identify when suspicious activity on an account may have occurred. Pindrop’s approach also provides inputs that financial institutions can use for both preventative and detective controls in the form of account monitoring analytics and fraud detection.
- Enhanced MFA authentication factor: The Guidance identifies the use of voice as a methodology for enhanced authentication control.
- Reliable identity verification methods: Pindrop’s voice-authentication solutions offer a mechanism for financial institutions to help them verify genuine callers against enrolled profiles and reduce the risk of identity theft, as part of their customer identification program.
From the abovementioned technical solutions to consultations with our fraud and authentication experts, these are just some of the ways Pindrop can help. For more details on how Pindrop’s solutions help financial institutions follow FFIEC Guidance, make sure to Download the Pindrop FFIEC Authentication FAQ today.
DISCLAIMER: This blog does not, and is not intended to, constitute legal advice or the provision of legal advice for or on behalf of Pindrop or any third party. Any customer or potential customer of Pindrop is responsible for ensuring that it obtains its own legal advice.