Have You Completed a High-Risk Assessment?

Credit Unions > Resources > Credit Union Advisor > 2007 Spring Issue

Dispelling Common Succession Planning Myths Employee Fraud: Protect Your Credit Union Facilities: Construction or Confusion? Have You Completed a High-Risk Assessment?

Have You Completed a High-Risk Assessment?
by Raj Patel
Credit Union Advisor, 2007 Spring

On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued new guidance on customer authentication for online transactions services. The guidance states that U.S. credit unions were to comply with the rules by the end of 2006. The guidance specifically states:

Where risk assessments indicate that the use of single-factor authentication is inadequate [for high-risk transactions involving access to customer information or the movement of funds to other parties], financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

High-risk transactions include:

Access to member information — Includes data that can be used for identity theft such as names, contact information, Social Security numbers, credit union account numbers, account details, etc.

Movement of funds to other parties — Includes bill payment, wire transfers to third parties, and transfers to accounts held by members outside of your institution.

The risk assessment approach depends on your overall multifactor strategy, such as:

Gateway authentication — Setting one consistent level of authentication for all members upon entry into Internet banking site (e.g., device authentication, tokens). All members would undergo the same required authentication. (This will be the most common strategy for most credit unions.)

Zone-based authentication — Segment the Internet banking site into several risk zones (e.g., view account balance and history, bill payment, ACH/Wire transfer, etc.) and require consistent authentication in the same risk zone.

Transaction-based authentication — Assess risk of each transaction and activity (e.g., login, wires, bill payment) and adjust authentication real-time based on authentication.

Plane & Moran has developed templates for performing risk assessments for each of the three approaches. These templates can be accessed on our website at www.plantemoran.com/riskassessment. Select the template that applies for your institution. Please note, there are numerous methods to perform a risk assessment, and this is just one example. Feel free to modify the spreadsheet to fit your institution’s needs.

Credit Union Advisor, 2007 Spring Issue.pdf

2008 Plante & Moran, PLLC. All rights reserved	PMSecure File Exchange \| Disclaimer \| Privacy Policy \| email webmaster

TO DOWNLOAD DOCUMENTS YOU MAY NEED TO INSTALL ADOBE ACROBAT	TO ENHANCE EXPERIENCE YOU MAY NEED TO INSTALL FLASH