As financial institutions dive into the newest channels to reach consumers and accept payments in every moment of their lives, they enter riskier scenarios that create a greater need for multi-factor authentication.
All of the highly automated processes involved in omnichannel interactions usually call for re-engineering of various systems for the banks, potentially making single-channel fraud controls inadequate, according to the Federal Financial Institution Examination Council's 2016 Retail Payment Systems guidance report.
The FFIEC, a group of federal examiners from various regulatory bodies, issues annual reports to explain its findings about financial institution systems and vulnerabilities as they relate to handling payments through Automated Clearing House, payment cards, electronic and mobile apps.
The report's section on mobile financial services should catch the attention of bank technologists, said Todd Thiemann, vice president of marketing for Nok Nok Labs, a security technology provider and key member of the Fast Identity Online Alliance that has worked for several years to surpass traditional passwords in device authentication.
The FFIEC cites the risks in authentication, compliance and third-party management, and device, application and data transmission securities. The risks are compounded in that bank customers are not likely to proactively use security controls, virus protection or personal firewall functionality on their mobile devices, the 147-page report states.
"The focus is on security, but the whole stage is being set that you can have better security even with a better consumer experience," Thiemann said. "We are seeing a rapid uptake of authentication enabling through biometrics services in the financial industry."
When Nok Nok Labs last reviewed biometrics, it found that eight of the top 10 U.S. banks were using TouchID on their mobile banking apps, while two of 10 supported biometric authentication on Android handsets, Theimann added.
"Now the FFIEC comes in and says all of the mobile advancements have to happen in a secure manner by following secure development lifecycles, adequate safeguards, device fingerprint and geo-location technology," Thiemann said. "It is technology that is all of keen interest to financial institutions now."
Thiemann acknowledges that the FFIEC guidance calls for use of biometrics, which is "near and dear to our hearts at Nok Nok Labs." In that regard, the FIDO Alliance has pushed the use of biometrics strongly in its pursuit to replace standard passwords for device authentication, and to potentially expand into other areas, including payments.
Because it is rarer for bank customers stop by the branch to do business with tellers who know them, financial institutions that follow the FFIEC guidance would take a more holistic approach to customer authentication and identification, said Ben Knieff, senior analyst at Aite Consulting Group.
"Certainly, some will look at what I call an 'authentication fabric,' a technology layer to enable the correct type of authentication for the risk and channel involved," Kneiff said.
Generally, the FFIEC provides guidance and recommendations on system operations and risk factors, though it does not have any regulatory power to mandate standards. Its members, from agencies like the SEC and FDIC, formulate the guidance to outline minimum standards that would apply across all agencies.
It also will react to various industry trends or examine processes that may come under question in the financial services or payments industries. For example, merchant organizations have been seeking help from the FFIEC to address an area of retail payments related to PIN debit transaction acceptance and routing that has plagued the industry since the advent of EMV chip cards.
For now, merchants are hoping the FFIEC can determine, among other things, whether some debit card issuers are failing to provide a PIN debit network option on tokenized purchases as is mandated through the Durbin amendment.