Written by Bernadette Clair, Regulatory Compliance Counsel
One of the articles in NCUA's May 2013 Report, takes a look at Electronic Banking Threats and Security. The article reminds credit unions to be diligent in safeguarding member information and ensuring proper security and controls when offering E-banking services, such as internet banking, phone banking, mobile banking, etc. (Exam Tip: According to the article, NCUA examiners have received updated training on E-banking security and have been instructed to review these areas in more detail during exams.)
The article highlights guidance from the regulators related to E-banking. From the article:
"In October 2005, the Federal Financial Institution Examination Council (FFIEC) issued guidance entitled Authentication in an Internet Banking Environment. The guidance provided minimum supervisory expectations for effective authentication controls related to high-risk online transactions involving access to customer information or the movement of funds to other parties.
In 2006, NCUA issued a Letter to Credit Unions, No. 06-CU-13, to aid in the implementation of the authentication guidance and provided answers to frequently asked questions. The letter reinforced the risk-management framework specified in the FFIEC’s earlier letter and updated supervisory expectations for effective member authentication mechanisms, layered security and other controls to combat identity theft, cyber attacks and online transaction fraud.
A 2011 Letter to Credit Unions, No. 11-CU-09, reflects a more layered approach to risk-management, and includes annual risk assessments for E-banking services. It discusses minimum monitoring requirements at initial login and for funds transfers, as well as additional guidance on challenge question authentication techniques. The letter also has valuable information about new expectations for customer awareness programs, as well as, recommendations for increased scrutiny of commercial accounts.
In February 2013, NCUA issued additional guidance in the form of a Risk Alert, 13-Risk-0. The Alert encourages risk mitigation strategies, against DDoS attacks such as:
- performing risk assessments aimed at identifying risks associated with DDoS attacks;
- ensuring incident response programs include DDoS attack scenarios during testing; and
- performing ongoing third-party due diligence of Internet and web-hosting service providers to identify risks and implement appropriate traffic management policies and controls."
See the article for additional details and guidance resources.