In 2021, the Federal Financial Institutions Examination Council (FFIEC) issued an update to its 2005 and 2011 guidance on Internet Banking Security and Authentication and Access to Financial Institution Services and Systems.  The Guidance replaces the FFIEC-issued Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011), which provided risk management practices for financial institutions offering Internet‐based products and services. This Guidance acknowledges significant risks associated with the cybersecurity threat landscape that reinforce the need for financial institutions to effectively authenticate users and customers to protect information systems, accounts, and data. The Guidance also recognizes that authentication considerations have extended beyond customers and include employees, third parties, and system-to-system communications. This Guidance highlights risk management practices that support oversight of identification, authentication, and access solutions as part of an institution’s information security program. Periodic risk assessments inform financial institution management’s decisions about authentication solutions and other controls that are deployed to mitigate identified risks. When a risk assessment indicates that single-factor authentication with layered security is inadequate, multi-factor authentication (MFA) or controls of equivalent strength, combined with other layered security controls, can more effectively mitigate risks associated with authentication.

Types of Risk:

• Strategic Risk – The risk of loss to earnings and capital for improperly aligning the organization’s goals with its capabilities and management expertise.

• Reputation Risk – The risk of loss to earnings and capital when the organization’s public image is negatively impacted by damaged customer relationships. This could result in loss of public confidence and trust and increase the risk for expensive lawsuits.

• Fraud Risk – The risk that a payment transaction will be initiated or altered to misdirect or misappropriate funds.

• Credit Risk or Exposure Risk – The risk that a party to a transaction cannot provide the necessary funds, as contracted, for settlement to take place.

• Operational Risk – The risk that a transaction will be altered or delayed due to an unintentional error, either mechanical or human. 

• Compliance Risk – The risk of loss to earnings and capital when the organization fails to be in compliance with the ACH Rules, federal and state laws, and regulations.

• Liquidity Risk – The risk of loss when one, or both, of the organizations involved in a transaction do not have sufficient liquid assets to settle funds.

Fraud Prevention Practices:

• The appropriate steps should be taken within your organization to ensure that all User ID's, Passwords, Authentication Methods, and any other applicable security procedures issued to your employees are protected and kept confidential.  All staff should be aware of the need for proper user security, password controls and separation of duties.

• The organization should consider having one computer in the office which is not used to browse the internet. Limiting internet access to the computer which is used to house and transmit ACH data will help avoid the accidental downloading of harmful programs or viruses that could potentially compromise the organization’s computer system.

• Dual control, one employee generates the ACH file and the system requires a secondary employee to log in and approve the ACH file, is strongly encouraged to ensure adequate separation of duties to assist in preventing ACH origination fraud.  Organizations should utilize dual control to submit ACH files for processing.

• ACH Origination systems should utilize multi-factor authentication by way of a secure User ID, Password, picture, access token code, and by presenting the user with challenge questions when the transaction appears to be outside the normal range for the organization.

• The organization should have solid policies and procedures in place to avoid becoming another fraud victim. The sooner ACH fraud can be detected, the more successful the organization will be in recovering potentially lost funds.