Pub 1 2012 Issue 2

20 Leading advocate for the banking industry in Kansas. I ’VE ALWAYS BEEN A FAN OF THE UN- derdog. I’ll never get tired of any movie featuring an underdog or underprivileged sports team, dancer, speller, or contestant on India’s Who Wants to Be a Millionaire. I cry ev- ery time even though I know they’ll either win the big game or come in a very close second and be okay with the loss because they learned so much about themselves during the season… What does this have to do with Inter- net banking? The FFIEC released its Sup - plement to Authentication in an Internet Banking Environment last summer, and banks across the country have spent the last fewmonths ensuring they’re ready for the next exam. By now, you’ve read the guidance (or at least read enough about the guidance) to know that it really boils down to three main elements you might not have paid attention to in the past: • An Internet banking risk assessment • A layered security approach to Internet banking • Enhanced customer education I can’t help but think that customer education is the underdog here. I know banks were very quick to start assessing the risks involved in Internet banking, and in response to those risks, many banks have implemented excellent lay- ered security programs. Options like secure browsing tools and out-of-band authorization, once considered the crème-de-la-crème of Internet security, will soon be the norm. However, anyone who has been involved in security for even a short amount of time knows that the weakest link is the human element. As a financial institution, you have undoubtedly spent hours on training, sent countless emails, put up clever posters in the break room… all in an effort to teach your employees Internet Banking: EDUCATING YOUR CUSTOMERS By Stephanie Chaumont , CISSP, CISA, Security+ the value of information security. Your customers have not received that kind of education. Some, even your commercial customers, may have opened mom-and- pop stores in small towns where everyone knows each other. The idea that someone they’ve never seen works day and night to try to break into their commercial account may never have crossed their minds. The newest FFIEC regulation places the responsibility of educating those customers on the shoulders of your bank. It’s now your job to help your customers understand the threats associated with Internet banking as well as the controls they can put in place to mitigate the as- sociated risks. Knowing what content you need has already been taken care of. Specifically, the guidance says your customers need to know, at a minimum: • Protections provided, and not provided, under Reg E and how Reg E applies to accounts with Internet access; • Under what, if any, circumstances and through what means your institution may contact a customer on an unsolic- ited basis and request the customer’s information; • A suggestion that commercial online banking customers perform a risk assessment and controls evaluation periodically; • A list of controls customers may con- sider implementing to mitigate their own risk or a list of available resources where such information can be found; • A list of institutional contacts for cus- tomers’ use in the event they notice suspicious account activity. Now you just need to decide how to deliver the information, and this is the most important part. People, on average will not retain even the most important information, if they can’t get through the verbiage. Whether you decide to provide handouts or use your Internet banking site to create a slideshow, it’s important to remember a few basic communication principles: 1. Know your audience. Don’t focus on what you want to say as much as on what they want to hear. This may