FFIEC Guidelines: Catching Up to Best Practices in Device Identification and Identity Verification
Boiled down to its essence, the latest guidance issued by the Federal Financial Institutions Examination Council (FFIEC) is rather simple.
Essentially it's asking U.S. financial institutions to mitigate risk using a variety of processes and technologies, employed in a layered approach. More specifically, it asks those businesses to move beyond simple device identification - such as IP address checks, static cookies and challenge questions derived from customer enrollment information - to more complex device identification and more complex out-of-wallet identity verification procedures.
Of course, leading financial services organizations have employed defense-in-depth strategies for years, both online and offline. No experienced IT security professional would put all of an institution's defensive strategies in a single process. This is hardly news.
In addition, while the specific call for "complex" out-of-wallet questions and device identification is news, top financial institutions have employed these techniques, in various applications, for quite some time. The problems that IT security leaders wrestle with on a day-to-day basis are more specific to making sure that the use out-of-wallet questions and device identification is done with optimal efficacy and that a balance is achieved with their other processes and the need to minimize friction for the customer.
Out-of-wallet identity verification
The recent FFIEC guidance states, "Challenge questions can be implemented more effectively using sophisticated questions. These are commonly referred to as out-of- wallet questions that do not rely on information that is often publicly available." I'd like to offer some suggestions as to what "sophistication" means with regards to out-of-wallet questions.
The use of interactive questions to further verify the legitimacy of an identity certainly remains an important and effective tool across multiple industries and points in the Customer Life Cycle.
However, out-of-wallet questions must be managed and used dynamically. ExperianÂ® consults with clients to find the optimal process points and question session configuration to strike the right balance among the often opposing forces of fraud prevention, customer experience and cost. Any institution should consider, at a minimum, the following when evaluating an out-of-wallet question service provider and implementation:
- Questions founded in as diverse a universe of data categories as possible, including credit and noncredit assets if permissible purpose exists
- Consumer question performance as an element among many within an overall risk-based decisioning policy
- Robust performance monitoring via established key performance indicators associated with individual question performance and overall effectiveness of policy
- An established process to rotate questions and adjust access parameters and velocity limits at both the institution and the consumer level
Cross-referencing a customer's question performance with other risk attributes such as authentication scores generally will provide the most useful decisioning criteria. Question sessions must employ speed and time limits, question rotation and hierarchies, and exclusionary conditions; they also must tailor weighting of one question compared with another based on predictive value in a particular market or process point.
The return on investment associated with out-of-wallet questions is often most compelling when the evaluation includes not only fraud prevention, but also customer experience and cost savings (in lieu of more manual customer management processes). Some of these values may be considered soft costs or less quantifiable, but in reality they are quite real.
Complex device identification
While "simple" device identification continues to be used in some industries, major financial institutions have moved on to more "complex" identification techniques. The use of singular, easily defeated attributes such as IP address, cookies and tokens is not effective. More complex techniques involve assessing larger sets of attributes and applying both pattern recognition algorithms and pattern-learning processes for device identification and recognition. Moreover, any system that's going to be used effectively in today's Internet environment needs to be adept at recognizing a wide variety of devices, from older PCs to the latest Android tablets.
However, simply using more complex methodologies for device identification and recognition is not enough. It's critical to be able to assess, in real time, the risk posed by both the attributes and the behavior of the device. Used effectively, devices are reasonable proxies for individuals. Understanding how those individuals are connected to each other, as well as their past and current behavior, is critical. Device Reputation provides that level of insight in real time.
In the world of online security, experience is critical
Layered together, Experian's authentication capabilities (including out-of-wallet questions and analytics) and iovation's device reputation services offer a more comprehensive approach to meeting and exceeding the FFIEC's most recent guidance. More importantly, they offer the most effective and efficient means to mitigating risk in online environments and have been market-tested in the most challenging financial services applications.
Both Experian and iovation offer a level of experience that provides distinct advantages, and the services are designed to work collaboratively, providing ultimate flexibility for a truly effective layered security strategy.
This article requires a full-access membership (free).
Please login or register to continue reading.