Banks and financial services have to constantly navigate through a rocky road, especially now more than ever as the novel coronavirus has transitioned many employees to work from home. While banks and financial services remain competitive by providing a digital customer experience, they have to secure their work environment due to federal financial service regulations posed on the industry.
Due to the swift transition to a digital environment and unfortunately, improved cyberattack methods against the financial industry, more federal banking security regulations are going into effect and/or tightening existing controls. Many of these regulations stem from the need to secure customer data as banks and financial services continue to be large holders of sensitive information, such as Personally Identifiable Information or PII.
Now, basic authentication methods like passwords need to be revisited to incorporate stronger customer authentication that still fits within the growing digital environment and customer expectations. Let's take a look at which federal financial regulations are affecting the industry today when it comes to their cybersecurity.
Financial Federal Regulations
Payment Card Industry-Data Security Standard (PCI-DSS)
PCI-DSS otherwise known as the Payment Card Industry-Data Security Standard is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash transactions and protect cardholders against the misuse of their personal information. This compliance standard was released in 2004 by the joint partnership of the four major credit card companies: Visa, MasterCard, Discover, and American Express.
For a financial institution to be PCI-DSS compliant, the service must obey six objectives labeled as followed:
- Supervisors conduct transactions in a maintained, secure network where there are firewalls that are not inconvenient to the cardholders or vendors, but robust to be effective against potential cyberattacks.
- Wherever this data is stored, financial services must protect cardholder information, i.e., vital data of birth, mother's maiden name as a standard answer to a business account, social security numbers, phone numbers, and mailing addresses. The second objective also involves digital encryption and its importance in credit-card transactions within e-commerce.
- The payment system must be protected against malicious activities through frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions.
- The access to the system information and operations must be restricted and managed by trusted employees, and every person who has computer access in the system obtains a unique and confidential ID name or number.
- Networks will be constantly monitored and tested to ensure that it is compliant with security measures.
- A formal information security policy must be defined, maintained, and always followed.
Gramm-Leach-Bliley Act (GLBA)
GLBA which is known as the Gramm-Leach-Bliley Act requires financial institutions to explain how they share and protect their customer’s private information. The focus of the GLBA is to tighten consumer data privacy safeguards and restrictions. This act revolves around three rules that financial services have to follow to be GLBA compliant.
The Financial Privacy Rule mandates that the financial institution provides notices of privacy policies and practices to consumers. The institution has to offer consumers the option to opt-in or out of having their national provider identifier disclosed to non-affiliated third parties.
The Safeguard Rule requires that relevant financial institutions implement policies for protecting customer information which is defined as individuals that maintain a relationship with your organization.
The Pretexting Provisions is another GLBA standard that involves cybersecurity which encourages financial institutions to develop safeguards for pretexting or social engineering, and organizations to develop a written plan for monitoring account activity, i.e., training staff not to provide NPI to fraud entities.
These standards and rules of GLBA apply to all businesses, regardless of size, as long as they are engaged in providing financial products or services to consumers, so not only financial institutions, but also check-cashing companies, payday lenders, mortgage brokers, and other functions involving the transaction of money.
Financial Institutions should employ encryption to mitigate the risk of disclosure, and encryption methods include effective key management and encryption strength.
Second Payment Services Directive (PSD2)
PSD2, known as the Second Payment Services Directive from the European Union is a requirement for all European e-commerce transactions. It prioritizes strong customer authentication and third-party providers to improve consumer choice and reduce fraud.
Under PSD2, the European Banking Authority published a revised deadline for December 31st, 2020 for compliance with the Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure communication.
For companies to follow PSD2, the criteria include:
Strong Customer Authentication:
The core principle of SCA is to reduce payment fraud with minimal impact on customer experience. For banks and financial services, this means improving while securing the digital experience.
Generally, SCA improves security through two-factor authentication (2FA). Consumers need to provide two pieces of information (like a combination of a password, PIN, phone number, or a fingerprint).
Transaction Risk Analysis
PSD2 requires the use of transaction risk analysis, which deters fraudulent payments. Risk analysis takes into account compromised data, known fraud scenarios, malware detection, transaction amount, and device access of the transaction.
The authentication must be dynamically linked to both the payee and the amount in the transactions. The dynamic linking requirement has three parts.
- To first link the transaction by identifying the beneficiary and amount in the transaction.
- There must be constant protection of the confidentiality and integrity of the transaction data during the authentication.
- The online banking user should be aware of the transaction data that they're authenticating.
The dynamic linking requirement will counter man-in-the-middle attacks where cybercriminals would alter the transaction during the authentication process.
Mobile App Security
Payment service providers are required to have security measures to mitigate the risk from compromised mobile devices.
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act (SOX) is a U.S. Congress Law that protects investors from fraudulent financial reporting by corporations. It created strict reforms to existing banking security regulations and imposed new penalties on those that broke the law.
SOX was developed in response to financial scandals in the early 2000s, and with its introduction, began an overhaul of old-regulatory standards.
The Securities and Exchange Commission (SEC) set out the reforms in the four areas:
- Corporate responsibility
- Increased criminal punishment
- Accounting regulation
- New protections
Financial Action Task Force (FATF) Guidance on Digital Identity
The Financial Action Task Force (FATF) in March 2020, released their guide on Digital Identity, which promotes the effective implementation of legal, regulatory, and operational measures to combat money laundering, terrorist financing, and threats to the international financial system.
The FATF Guidance focuses on end-to-end digital identity, which includes identity proofing, enrollment, and authentication.
Benefits of the digital ID systems include:
- Improving the customer identification and verification process at the onboarding stage
- Supporting ongoing scrutiny and due diligence of transactions
- Facilitate customer due diligence (CDD) measures
- Aid transaction monitoring to detect and report suspicious transactions
Banks and financial services can benefit from multi-factor authentication approaches, biometric identity solutions, and single sign-on. All three support federal financial regulations, and unlike passwords alone, these three solutions are more secure. Also, biometrics can offer an alternative to the decreasingly popular out-of-band (OOB) authentication methods.
Multi-factor authentication provides enhanced security requiring all users have at least two forms of authentication (including phones, PINs, and even a passwordless authentication method like biometrics).
With biometric identity solutions, these cannot be lost or shared, and a one-touch instant authentication provides a heightened level of security while streamlining the workflow, benefiting the organization and innovating the customer experience.
Lastly, single sign-on gives seamless access to all apps, heightens security measures through stronger authentication requirements, and lowers IT costs.