Layered security is one of the core tenets of the new FFIEC Authentication Guidance - and it's perhaps the most effective strategy for detecting and preventing banking fraud schemes. But what are some of today's most mature approaches to layered security, and how are banking institutions employing them to detect and prevent fraud at the transaction level and beyond?
Join a distinguished panel of industry experts to learn:
The types of layered security controls prescribed by the FFIEC, and what examiners will be looking for from institutions starting in January 2012;
Tips from banking institutions that are already deploying layered controls such as knowledge-based authentication, device identification, behavioral monitoring, anomaly detection and cross-channel pattern analysis;
Emerging technologies that will enable more efficient and effective ways to know their customers, improve fraud detection and create layered protection across all maintenance activities and customer devices.
In response to heightened incidents of fraud against banking institutions and customers, the Federal Financial Institutions Examination Council has formally released the long-awaited supplement to its "Authentication in an Internet Banking Environment" guidance, which was first issued by the FFIEC in October 2005.
Among the most prominent topics in the new guidance is "layered security," which the FFIEC defines as "the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control." But layered security controls also are appropriate beyond the transaction, in all customer interactions, and institutions are encouraged to use these controls to know their customers' banking habits, protect customer information, prevent ID theft and reduce losses to cross-channel fraud schemes such as account takeover.
Starting in January 2012, banking regulators will examine institutions for conformance with this new guidance. Specifically, examiners will look for how institutions have:
Improved their abilities to detect and respond to suspicious activity;
Enhanced controls for system administrators of business accounts.
Among the layered security methods recommended by the FFIEC:
Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
Dual customer authorization through different access devices;
Out-of-band verification for transactions;
"Positive pay," debit blocks, and other techniques to appropriately limit the transactional use of the account;
Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows [e.g., days and times];
Internet protocol [IP] reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities;
Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud;
Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels; and
Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.
In this exclusive session, Matthew Speare of M&T Bank will discuss how his institution has tackled the layered security strategy in all aspects of electronic banking. He then will lead a panel of industry experts in an open discussion about these different methods, as well as best-practices in fraud prediction and detection across all channels, and how to improve the analysis of suspicious behavior across all transactional channels.
Mark Benoit has worked for 15+ years as a security consultant to many of the largest institutions in the U.S. An expert in security strategy and implementation, he is currently an Attachmate Security Expert focused primarily on fraud and privacy initiatives for U.S. banks, healthcare institutions, and government agencies. Just prior to joining Attachmate, Mark worked at Verizon Business supporting the sixth largest bank in the U.S. and several other Fortune 100 companies. Mark is recognized for his deep knowledge of security, fraud, and privacy issues and frequently comments on issues of security and risk for the media. He received a BA from Washington State University and completed The Management Program at the University of Washington.
Chief Products Officer, ThreatMetrix
Faulkner is a technology entrepreneur who has nearly two decades of experience building products and delivering mission-critical technologies that are run by the world's most trusted brands. Faulkner is a noted industry expert in issues relating to online fraud, cybercrime, identity theft, information security and networking technology. As chief products officer and co-founder at ThreatMetrix, he is responsible for product management and strategy. Prior to ThreatMetrix, Faulkner was a founder and head of products and business development for NetPriva, a leading network performance software provider, acquired by Expand Networks, now Riverbed. Prior to NetPriva, he was a senior consultant at Accenture in their e-commerce practice.
Smith is responsible for Fraud Market Planning for LexisNexis Risk Solutions, driving conceptual design of innovative solutions for financial service organizations in alleviating fraud risk. Prior to LexisNexis, He was a Fraud Risk Manager for General Electric (GE Money), Manager of Fraud Policy at Direct Merchant's Credit Card Bank, and Fraud Investigator for Certegy and Equifax. Smith began his training in the fraud industry by receiving a degree in Economic Crime from Utica College of Syracuse University and through an internship at the Financial Crimes Division of the United States Secret Service in Washington, DC.
Executive Vice President & Enterprise CIO, Regions Bank
Speare joined Regions in 2013 and serves as the head of governance and integration. Regions is a top U.S. bank-holding company headquartered in Birmingham, Ala., with $117 billion in assets, operating approximately 1,700 banking offices in 16 states. In this role, Speare has responsibility for information security; check, ATM/debit, and credit card fraud operations; and systems integration for consumer, business and commercial banking groups. Prior to assuming his current role in 2013, Speare was the chief technology officer for M&T Bank, an $82 billion financial institution based out of Buffalo, N.Y.