Welcome » IT Booklets » Information Security » II Information Security Program Management » II.C Risk Mitigation » II.C.16 Customer Remote Access to Financial Services
Management should do the
Institutions increasingly offer services to customers through
remotely accessible technology, such as the Internet and mobile
financial services. If the institution offers such services,
management should implement appropriate authentication
techniquesTechniques include multiple factor
authentication, device authentication, location consistency, and
additional authentication for sensitive functions.
commensurate with the risk from remote banking activities. Beyond
authentication, remote access controls should include additional
layered security controls and may include some combination of the
Institution customers may also use e-mail or other electronic
means to transmit instructions. All instructions received through
such channels should be authenticated and validated in accordance
with institution policies.
An area of heightened concern when financial institutions offer
remote financial services is the potential for malicious activity
against the institution's mobile or online services. Malicious
actors may restrict availability to those services through denial
of service (DOS) attacks that target the institution's ISPs,
third-party service providers, infrastructure, or applications.
Additionally, attacks on organizations that share infrastructure
with the institution, including domain name services, may adversely
affect the availability of remote services. Management should
develop and maintain policies and procedures to identify, measure,
mitigate, monitor, and report on significant security incidents to
ensure the resilience of remote financial services. Planning and
coordination by the institution and its third-party service
providers may improve the resilience of services in the face of
those attacks. To prevent or minimize exposure to these incidents,
management should do the following:
The institution should develop and test an incident response
plan in conjunction with the institution's ISPs and third-party
service providers to mitigate the interruption of mobile or remote
financial services. Refer to the "Incident Response" section of
this booklet for more information.
Customers may be provided with a website disclosure with the
institution's customer acceptable-use policy. Depending on the
nature of the website, the institution may require customers to
demonstrate knowledge of and agreement to abide by the terms of the
acceptable use policy. That evidence can be paper-based or
Refer to appendix ESee the IT
Handbook's "Retail Payment Systems" booklet, appendix E, "
Mobile Financial Services." of the IT
Handbook's "Retail Payment Systems" booklet for more
information about mobile financial services.