On-line Banking: Current State of the Industry

1
On-line Banking Current State of the Industry

• Richard R. McGuigan
• Executive Vice President
• Community Bankers of Wisconsin
• rick_at_communitybankers.org

2
Agenda

• Overview
• Current products and services
• Security issues
• Legal/Contractual issues
• Recommended Best Practices

3
2007 Federal Reserve Payments Study
4
(No Transcript)
5
(No Transcript)
6
(No Transcript)
7
What High Net Worth Customers Want
8
(No Transcript)
9
(No Transcript)
10
Multi-Factor AuthenticationIs it enough?
11
Bank Compliance with FFIEC
12
Counter-intuitive Security Facts
13
Fraud Response to FFIEC Guidelines
14
(No Transcript)
15
The Evolution of Security Risks

• Nigerian 419 letter scams (1970s)
• Phishing
• Pharming
• Spear phishing (targeted phishing)
• Redirected websites/domains
• Man-in-the-middle attacks
• Auto exploit bots
• Distributed denial of service attacks
• Crimeware

16
What is Crimeware?
17
Whats the big deal?
18
Crimeware is evolving!
19
Regulatory Compliance Requirements

• FFIEC Information Security Handbook
• GLBA Section 501(b) (Information Security)
• USA PATRIOT Act Section 326 (CIP)
• Check 21
• Federal E-Sign Act and UETA
• NACHA and WACHA Rules (Reg E)
• 12 CFR Part 30 (Interagency Guidelines
  Establishing Standards for Safeguarding Customer
  Information)
• ID Theft Red Flags

20
Electronic Consumer Products

• Online banking
• Bill pay
• Online check images
• Mobile (phone) banking
• Remote deposit capture (CheckFree)
• Alerts
• Loan and deposit applications
• Debit/ATM cards
• Telephone banking
• ACH debits and credits
• Electronic Benefits Transfer (EBT)

21
Electronic Business Products

• Online banking
• Wire and telephone transfers
• Merchant services
• ACH (ARC, POP, RCK, TEL, WEB, BOC)
• Credit/debit card processing
• Cash management services
• Remote capture deposit
• Automatic investment sweep accounts
• Lockbox services
• ACH originations
• Positive pay
• Payroll services

22
Electronic Banking Security Issues

• Network security concerns
• Every FI must have a written IT Security Policy
  based on an IT risk assessment
• Website security concerns
• Customer authentication/security concerns
• Every FI must have other than single factor
  authentication for higher risk online banking
  transactions (layered security)

23
Network Security 101
24
Network Interfaces
25
Fundamental Firewall Rules
26
Network Controls
27
Virus ProtectionBasic Steps to Protect Systems
28
Spyware protectionBasic Steps to Protect Systems
29
Network ScanningWhy do we need them?
30
Summary Network Security 101
31
Customer Authentication/Security Concerns
32
Is FFIEC Compliance Sufficient?
33
(No Transcript)
34
(No Transcript)
35
Whats Ahead with FFIEC?
36
Going Beyond FFIEC Voice
37
FFIEC Telephone Banking
38
Beyond FFIEC Guidance
39
The Fourth Factor
40
Transaction Monitoring
41
(No Transcript)
42
Consumer-Directed Security
43
Security Threats Whats Next?
44
Security Bottom Line
45
Card Security Update
46
Remote Deposit CaptureLegal/Contractual Issues
47
(No Transcript)
48
(No Transcript)
49
Risk Factors with Remote Capture
50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
(No Transcript)
56
Example of Potential Problem
57
Why Does a Bank Need an Agreement?
58
Things a RDC Agreement Should Cover
59
(No Transcript)
60
Electronic Contractual Issues
61
Federal E-Sign Act
62
(No Transcript)
63
(No Transcript)
64
E-Sign and UETA (state law)Authenticity,
Integrity, Security
65
Electronic Record Retention
66
(No Transcript)
67
(No Transcript)
68
New Rules for Electronically Stored Information
(ESI)
69
(No Transcript)
70
(No Transcript)
71
Recent Cases to be Aware of

• Wachovia Bank v. Foster Bancshares
• Forgery vs. alteration of check with check
  imaging involved. Found alteration
• Chevy Chase Bank F.S.B. v. Wachovia Bank
• Forgery vs. alteration with check imaging
  involved. Found forgery
• Travelers Cas. Surety Co. v. Northwestern
  Mutual Life Ins. Co.
• Breach of fiduciary duty

72
Questions?