Authentication in an Internet Banking Environment

The Federal Financial Institutions Examination Council is an interagency body within the U.S. government tasked with ensuring that rules governing financial institutions are enforced uniformly. When online banking became widespread in the early 2000s, the FFIEC decided to introduce standardized guidelines to help banks offering online banking services to comply with data security regulations. This effort culminated in the publication of a document titled “Authentication in an Internet Banking Environment” or AIBE for the purposes of this article.

When AIBE was first introduced, it was a relatively straightforward document. It is believed that the FFIEC may not have foreseen how important the document would become as digitalization disrupted banking and payments over the next decade. Nevertheless, compliance with AIBE retroactively became mandatory for financial institutions almost a decade after its publication, and the document has been significantly expanded in recent years to account for its importance in today’s financial system.

What Is AIBE?

AIBE was originally published in October 2005 as a risk management framework. At the time, financial institutions attempting to remain in compliance were challenged by a web of conflicting rules and documents governing how financial platforms were expected to be secured. Therefore, industry experts established a study group that was responsible for creating what was to become the final AIBE document.

AIBE primarily outlines the additional steps that financial institutions are expected to take when securing their platforms. For instance, it specifies that online banking platforms should have at least three security questions because research proves that additional questions strongly correlate with a reduction in unauthorized access. At the time, security questions were common on most websites, but AIBE specified that financial institutions were expected to go the extra mile to protect their customers. Dozens of similar rules were introduced under AIBE that were designed to ensure that security practices were aligned with the high level of importance that consumers place on the security of their financial assets.

Is AIBE Legally Enforceable?

When AIBE was introduced, it was not technically enforceable. Of course, it would act as a guideline to help courts decide which parties are liable in the event of a data breach, so many attorneys regarded it as legally enforceable. Nevertheless, banks still had the right to ignore certain elements of AIBE that they found objectionable.

The enforceability of AIBE changed on January 1, 2012, when the FDIC published guidance requiring that financial institutions fully comply with AIBE. By that time, most financial institutions were already introducing security measures that went far beyond the requirements detailed in AIBE, but the FDIC decided to convert AIBE into a legally enforceable minimum standard to ensure that all U.S. banks made a serious effort to protect their customers.

Updates to AIBE

AIBE was routinely updated after it became legally enforceable. The document was not originally intended to function as a regulatory framework, so updates were needed to account for its new significance.

Shortly before the FDIC made AIBE enforceable, the FFIEC introduced a document labeled “Supplement to Authentication in an Internet Banking Environment” in June 2011. The document aimed to reinforce the fact that following the security practices outlined in the original document remained crucial in the maturing space of online banking. Additionally, it modified some of the security practices outlined in the original document to account for newly discovered vulnerabilities and the changing digital landscape.

Most importantly, the supplementary document added additional expectations in layered security and client authentication. Additional expectations were outlined that required banks to educate their customers on the importance of following good security practices.

Companies That Must Comply With AIBE

Today, all financial institutions that provide financial platforms to their clients are required to comply with AIBE. Therefore, nearly all businesses have to comply if they offer products related to investments, insurance, banking, and securities trading.

Requirements Under AIBE

AIBE sought to provide the full list of security requirements that financial institutions were expected to implement, so explaining the complete array of regulations under AIBE goes outside the scope of this article. Nevertheless, the requirements under AIBE can be summarized as covering three main areas:

1. Internal controls: Financial institutions are required to conduct annual risk assessments to ensure that their platforms are secure. Larger accounts are required to have additional security measures. Financial institutions are also required to introduce customer awareness programs that are tailored to the specific service that they offer.

2. Layered security: Requirements were introduced to make financial institutions develop systems designed to detect fraudulent or suspicious activity. Administrative controls were also made mandatory for customers who use business accounts.

3. Authentication: AIBE clarified that many of the basic device identification strategies that are widely used in e-commerce are not sufficient for financial institutions. It also clarified that basic challenge questions were not enough to protect financial institutions from liability in the event of a data breach.

How to Achieve Compliance

If you are responsible for securing a financial institution’s online platforms, understanding how to adequately comply with AIBE is crucial for avoiding lawsuits and even criminal liability. To comply with AIBE, you should start by reading the document itself. Additionally, make sure that you review the supplementary guidance that the FFIEC has published.

However, fully complying with AIBE is difficult to do on your own. In most cases, you will want to recruit a new employee who is experienced in complying with AIBE. You may also need to work with a security company that specializes in AIBE compliance.

AIBE Compliance Helps to Improve Online Business Security

Although complying with AIBE can be difficult, the reality is that the process of achieving compliance helps to enhance the security of your information systems. You will institute a broad range of access management systems and internal controls that will significantly reduce the chances of your company experiencing a data breach. Therefore, your business will be more sustainable, insurance costs can be reduced, and you can provide a wider range of services.

When your business becomes AIBE-compliant, you can advertise this fact to your customers. As a result, they can feel more secure when they transact through your platform. Clients who are very concerned with security will then be more likely to switch over to your company.

Using the AIBE Framework to Protect Your Business

It is important to understand that the FDIC only made AIBE legally enforceable to help financial institutions protect their clients with the best security practices available. If your business is not required to comply with AIBE, achieving voluntary compliance can still make sense in many cases to demonstrate a good-faith attempt to protect the assets under your control. Businesses that experience a data breach can sometimes be shielded from liability in court when they have gone out of their way to protect their customers.

Safeguards Similar to AIBE

AIBE is only one of many safeguards that have been introduced to protect the clients of financial institutions. For instance, NIST Special Publication 800-63-3 provides guidance on how to properly implement two-factor authentication, and this publication has been used in court to sue businesses that experienced a data breach. The Payment Card Industry Data Security Standard is another important law that aims to protect consumers by ensuring that systems used for online transactions are secure. Even GDPR has rules governing how access systems are supposed to be secured.