Have You Completed a Risk Assessment for High-Risk Transactions?

Banks > Resources > Community Bank Advisor > 2007 Winter Issue

Accounting Changes for Split-Dollar Life Insurance Arrangements Accounting for Servicing Rights Changes in FDIC Insurance Assessments Employer-Owned Life Insurance FIN 48 — Accounting for Uncertain Tax Positions Have You Completed a Risk Assessment for High-Risk Transactions? Interest-Rate Swaps and Floors Are Still Rare at Community Banks…But for How Long? Michigan SBT Replacement Tax Policy Statement on the Allowance for Loan and Lease Losses Offers Most Specific Guidance to Date Potential Changes to Sarbanes-Oxley Section 404 Research and Development Tax Credits Update S Corporation Bank Highlights Stock Option Taxation Tax Bad-Debt Deductions — Conformity Election Revisited

Have You Completed a Risk Assessment for High-Risk Transactions?
By Raj Patel
Community Bank Advisor, 2007 Winter

On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued new guidance on customer authentication for online banking services. Although the guidance states that U.S. banks are expected to comply with the rules by the end of 2006, some banks are still struggling to comply. The guidance specifically states:

Where risk assessments indicate that the use of single-factor authentication is inadequate [for high-risk transactions involving access to customer information or the movement of funds to other parties], financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

High-risk transactions include:

Access to customer information — Includes data that can be used for identity theft such as names, contact information, Social Security numbers, bank account numbers, account details, etc.

Movement of funds to other parties — Includes bill payment, wire transfers to third parties, and transfers to accounts held by customer outside of your institution.

The risk assessment approach depends on your overall multifactor strategy, such as:

Gateway authentication — Setting one consistent level of authentication for all customers upon entry into Internet banking site (e.g., device authentication, tokens). All customers would undergo the same required authentication. (This will be the most common strategy for nearly all community banks.)

Zone-based authentication — Segment the Internet banking site into several risk zones (e.g., view account balance and history, bill payment, ACH/Wire transfer, etc.) and require consistent authentication in the same risk zone.

Transaction-based authentication — Assess risk of each transaction and activity (e.g., login, wires, bill payment) and adjust authentication real-time based on authentication.

Plane & Moran has developed templates for performing risk assessments for each of the three approaches. These templates can be accessed on our website at www.plantemoran.com/risk assessment/. Select the template that applies for your institution. Please note, there are numerous methods to perform a risk assessment and this is just one example. Feel free to modify the spreadsheet to fit your institution’s needs.

Community Bank Advisor, 2007 Winter Issue.pdf

2008 Plante & Moran, PLLC. All rights reserved	PMSecure File Exchange \| Disclaimer \| Privacy Policy \| email webmaster

TO DOWNLOAD DOCUMENTS YOU MAY NEED TO INSTALL ADOBE ACROBAT	TO ENHANCE EXPERIENCE YOU MAY NEED TO INSTALL FLASH