FFIEC

Puzzled about the FFIEC Guidance?

Risk Based Consumer Authentication can help an organization to comply. Real time and forensic risk assessments help get compliance today while building a foundation that can grow to include an effective authentication strategy tomorrow. Single-factor authentication is not good enough to defend against online account fraud and identity attacks.

Looking Closer at the FFIEC Authentication Guidance
On October 12, 2005 the Federal Financial Institutions Examination Council issued the updated guidance, "Authentication in an Internet Banking Environment." For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using online products and services. Examiners will review this area to determine a financial institution's progress in complying with this guidance during upcoming examinations.

The FFIEC Guidance asserts that:

"Single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation."

Faced with an impending deadline, many organizations are taking a phased approach to getting compliance today that can easily evolve to include multifactor authentication over time.

Rapid Path to Compliance
Using multifactor authentication to defend online identities is one approach to fraud prevention, but there is another approach that can help achieve compliance quickly, while laying a foundation that can easily evolve to include strong authentication. Entrust TransactionGuard can watch transaction data, and spot suspicious behavior. Now you can pro-actively contact customers and stop suspicious transactions before they are cleared. This long-standing and effective method of real time fraud prevention has been used in the credit card industry for years.

In fact, real time fraud detection with consumer notification has been validated as being consistent with FFIEC Guidance by the FDIC.

Finding fraud in massive volumes of data
The Entrust Risk Based Consumer Authentication Solution can help deliver quick compliance to the FFIEC guidance. It transparently monitors all web traffic in real time for anomalies in usage pattern behavior, transaction behavior, geo-location information and device fingerprint information. For example, the solution can identify anomalies like:

• a user logging in from an unknown machine or from a risky IP or location
• transfers of unusually large amounts to unknown accounts
• changing of personal information

Using a flexible anomaly detection engine, when suspicious behavior is spotted, an organization can decide to take remedial action, including:

• Real time alerting of the customer via email, SMS etc.
• Outbound manual phone calls to customers
• Offline reversal or suspension of suspicious transactions

Entrust solution delivers seamless security to help Detect, Defend and Adapt
Entrust TransactionGuard looks for behavioral anomalies without touching business applications or impacting the user experience.

Help detect fraud before it happens with:

• Rapid deployment that requires no changes to applications or the user experience.
• Flexible implementation for seamless fit with existing technology infrastructures and internal fraud management processes.
• Built ready to go with an out of the box library of behavior pattern baselines, customizable rules and a powerful analytics engine.

Once potential fraud has been spotted, Entrust TransactionGuard has sophisticated alert generation, case reporting and work flow capabilities.

Defend consumers and help address fraud with:

• Seamless integration into existing fraud detection programs using automated alert delivery and workflow.
• Simplified resolution tracking using intuitive management interface.
• Rich reporting tools mine rich data sets and deliver key information to the right users at the right time.

Fraud detection needs to be able to uncover and respond to changing fraud patterns.

Help Adapt to emerging threats with:

• Forensic fraud detection and post-transaction analysis of potential fraud cases with data capture of past transactions.
• Powerful analytics engine to help identify emerging threats.
• Rapid response to new threats with no change to business applications.
• Easy evolution to real time risk-based authentication using Entrust IdentityGuard, Entrust's award-winning open multifactor authentication solution.

Easy evolution to risk-based authentication
Once the pressure of compliance is off, organizations can start to examine the other critical component of securing online transactions, strong authentication. Entrust IdentityGuard is an award winning and cost-effective open multifactor authentication platform that lets organizations layer security across diverse users, transactions and applications.

The combined power of zero touch fraud detection and open multifactor authentication provides organizations with an ability to both identify risk and respond using strong authentication. Using Entrust IdentityGuard, an organization can help reduce the impact of security on the user experience by requiring stronger authentication only if determined to be appropriate. This common sense approach to consumer authentication lets an organization apply the right level of authentication tailored to the risk assessment of the transaction.

Multifactor Authentication Options
Authentication technologies range from simple to complex and provide varying levels of security and costs of ownership. The key is to select the method that provides the appropriate level of security for the risk associated with financial products, accounts and transactions. Regardless, an effective authentication method should have:

• customer acceptance (ease of use, transparency)
• reliability of performance
• scalability to accommodate growth
• interoperability with existing systems and future plans

The multifactor authentication technologies described in the FFIEC guidance include the following:

Technology	Description	Entrust Solution	More Information
Shared secrets	Queries that require specific knowledge to answer (amount of monthly mortgage payment) Customer selected images that must be identified from a pool of images	YES	User authentication and mutual authentication capabilities of the Entrust IdentityGuard strong authentication platform leverage knowledge-based authentication
Tokens	USB token device (with or without digital certificate) Smart card Password generating token (time synchronous)	YES, plus...	Entrust USB tokens can be used. The Entrust IdentityGuard platform offers several token options which are significantly cheaper than the RSA SecurID password generating token.
Biometrics (physical characteristic)	Finger prints Iris configuration Facial configuration Voice pattern	YES	Yes, with Partner Integration
Non-Hardware-Based One-Time-Password	Grid card with coordinate lookup Scratch card	YES, plus...	Entrust IdentityGuard offers a wide range of options including security grid (patented) and OTP scratch card options integrated in a single strong authentication platform
Out-of-Band Authentication	Telephone call Email message SMS text message	YES	Multi-channel authentication supporting voice, email, SMS text messages, ATM/Kiosk and in-person authentication options
Internet Protocol Address (IPA) Location and Geo-Location	Profile with "IP intelligence" including location, domain name, proxies, etc.	YES, plus...	IPA is one aspect of the Entrust IdentityGuard machine authentication techniques for strong user authentication on multiple devices
Mutual Authentication	Authenticating web site to consumer via digital certificate, shared secret or image	YES	Entrust IdentityGuard offers several mutual authentication techniques

The Entrust IdentityGuard strong authentication platform's innovative capabilities allow each party in an online transaction to be confident in the identity of the other while providing the flexibility to match the risk associated with the given transaction. Importantly, Entrust IdentityGuard has minimal impact on the user experience and is a fraction of the cost of conventional hardware tokens. In fact, the product has received strong reviews from numerous analysts, including Forrester in their recent report "What To Look for In Consumer Strong Authentication Solutions" and IDC Corporation in their recent Product Flash.

View the demo to see firsthand how Entrust IdentityGuard works

Talk to us about your strong authentication requirements.

• White Paper:
  Securing What's
  At Risk A Common Sense Approach
• FFIEC Authentication Guidance

• Replay: Addressing FFIEC Requirements in Weeks, Not Months

• How the heck are we going to meet FFIEC?

• Online Banking Consumer Survey
• Forrester Report

• Understanding the FFIEC Guidance on Authentication

• Consumer Security