II.C.16 Customer Remote Access to Financial Services
Management should do the following:
- Develop and maintain policies and procedures to securely offer and strengthen the resilience of remote financial services, if the institution offers such services.
- Plan for actions that adversely affect the availability of remote banking services to customers.
- Coordinate appropriate responses with the institution's ISPs and third-party service providers.
- Regularly test the institution's response plans.
Institutions increasingly offer services to customers through remotely accessible technology, such as the Internet and mobile financial services. If the institution offers such services, management should implement appropriate authentication techniquesTechniques include multiple factor authentication, device authentication, location consistency, and additional authentication for sensitive functions. commensurate with the risk from remote banking activities. Beyond authentication, remote access controls should include additional layered security controls and may include some combination of the following:
- Application time-outs with mandatory re-authentication.
- Fraud detection and monitoring systems that include consideration of customer history and behavior to alert management, and enable a timely and effective institution response.
- Dual customer authorization through different access devices.
- Out-of-bandOut-of-band refers to activity outside of the primary means of interfacing with the customer. For example, if a user is performing activity online, he or she may be authenticated through a one-time password sent via text message. verification for transactions.
- Positive pay,Positive pay is a technique that can reduce check fraud by requesting businesses to send electronic files of information to the financial institution on all checks the business has issued. debit blocks, and other techniques to appropriately limit the transactional use of the account.
- Supplementary controls over certain account activities, such as transaction value limits, restrictions on devices for adding payment recipients, limits on the number of transactions allowed per day, and allowable payment windows (e.g., days and times).
- Reputation-based tools to block connections to the institution's servers based on device or network indicators known or suspected to be associated with fraudulent activities.
- Device authentication with appropriate enrollment and de-enrollment processes.
- Policies for addressing customer devices identified as potentially compromised and identifying customers who may be facilitating fraud.
- Controls over changes to account maintenance activities (e.g., address or password changes) performed by customers either online or through customer service channels.
- Supplementary controls for system administrators who are granted privileges to set up or change system configurations of business accounts.Refer to the FFIEC's "Supplement to Authentication in an Internet Banking Environment."
- Customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.
Institution customers may also use e-mail or other electronic means to transmit instructions. All instructions received through such channels should be authenticated and validated in accordance with institution policies.
An area of heightened concern when financial institutions offer remote financial services is the potential for malicious activity against the institution's mobile or online services. Malicious actors may restrict availability to those services through denial of service (DOS) attacks that target the institution's ISPs, third-party service providers, infrastructure, or applications. Additionally, attacks on organizations that share infrastructure with the institution, including domain name services, may adversely affect the availability of remote services. Management should develop and maintain policies and procedures to identify, measure, mitigate, monitor, and report on significant security incidents to ensure the resilience of remote financial services. Planning and coordination by the institution and its third-party service providers may improve the resilience of services in the face of those attacks. To prevent or minimize exposure to these incidents, management should do the following:
- Monitor threat alerts.
- Monitor service availability and diagnose causes of reduced availability.
- Monitor applications and network traffic for indicators of nefarious activity.
- Ensure traffic filtering by the institution's ISP or upstream ISP,An upstream ISP is usually a large ISP that provides Internet access to a local ISP. third-party service providers, and internal resources.
- Design and implement applications to withstand application-level DOS.
- Utilize distributed architecture.
- Limit traffic (e.g., allow valid traffic and block known bad traffic by port or IP address).
- Add bandwidth.
- Enable access to services through alternative channels.
The institution should develop and test an incident response plan in conjunction with the institution's ISPs and third-party service providers to mitigate the interruption of mobile or remote financial services. Refer to the "Incident Response" section of this booklet for more information.
Customers may be provided with a website disclosure with the institution's customer acceptable-use policy. Depending on the nature of the website, the institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the acceptable use policy. That evidence can be paper-based or electronic.
Refer to appendix ESee the IT Handbook's "Retail Payment Systems" booklet, appendix E, " Mobile Financial Services." of the IT Handbook's "Retail Payment Systems" booklet for more information about mobile financial services.
II.C.15(d) Use of Remote Devices
II.C.16(a) Customer Awareness