|
|
|
The 2006 year-end NCUA compliance deadline for Internet Authentication is quickly approaching so I thought it might be helpful to review what is required.
Assessment - Every Credit Union must perform an assessment and determine if high risk transactions are performed through their Internet Services. High risk transactions are defined as access to member information or the movement of funds to other parties. Having a Bill-Pay service automatically qualifies as having High Risk transactions. This assessment must be completed even if you have already implemented multifactor authentication. It does not have to be long, but should address what systems you have, what exposure the Credit Union has through High Risk transactions, and the recommended action--implementing Multi-factor authentication where appropriate.
Implement Multi-factor Authentication - If you allow high risk transactions on an internet based system you need to provide multifactor authentication. DMS can do this for your internet banking system, but you have to contact them to do it. Make sure you notify your members about the changes so they know that this is for better protection of their accounts and personal information. If your bill pay system uses a separate login, then you will need to work with your Bill Pay provider on this as well.
Monitoring - Credit Unions with High Risk transactions need to have monitoring systems which can determine if unauthorized access to a computer system and member accounts has occurred. It is a little unclear as to whether this is just intrusion detection programs at the Banking/Bill Pay providers, or if there is something more needed at the Credit Union. This is a difficult thing to monitor and catch. I would document what your providers are doing and make sure that
|
|
|
|
your internal policies, procedures and training address what will be done by the Credit Union if a member complains that their account may have been compromised.
Finally, you need a program to educate your members on fraud prevention. This needs to be a formal written plan to continually educate members about the risk of identity theft and phishing scams and how to avoid that via web site, newsletters, special mailings etc.
There has been some indication that Telephone Banking systems (PDTALK) need to be included in this. This is hard to understand because the guidance specifically addresses Internet Based Systems. We feel that there is little exposure for Telephone Banking systems and Multi-Factor Authentication for these systems would be very, very difficult to implement. We do suggest including PDTALK with your assessment if you use PDTALK, and indicate that it provides access to very limited member information and no money transfers to other accounts are made where the member is not an owner of the account. Although we allow transfers to other members accounts, this is most likely setup by the member in person at the Credit Union, and you have the ability to verify ownership of the other accounts. We also require the other account number and PIN on that account so that added security reduces exposure as well.
Please contact me if you have any other questions on this that I might be able to answer. You may want to reference NCUA Letter to Credit Unions 05-CU-18 & 06-CU-13. These also reference another document: Frequently Asked Questions on FFEIC Guidance on Authentication in an Internet Banking Environment. They are available on www.ncua.gov.
|
|
|
