Beginning next year, NCUA examiners will expect credit unions tobe following a tougher new set of guidelines for securing onlinebanking and money transfers.

NCUA Chairman Debbie Matz made that promise after the FederalFinancial Institutions Examinations Council issued new guidancelast week that calls for financial institutions to institute newsafeguards against the rising tide of fraud.

The FFIEC guidelines were last updated in 2005. A growing seriesof breaches and hack attacks have since then netted fraudstersaround the globe millions of dollars and sparked legal battles overliability between victimized banks and customers.

The new guidelines call for recognitions of layered securitymeasures to deal with escalating levels of risk, improved andexpanded authentication mechanisms, financial education and othermeasures to combat online fraud and identity theft.

Credit unions have not been immune from the onslaught ofcybercrime, and they'll be expected to step up their defenses.

“This guidance reinforces the previous risk managementframework. More importantly, the supplement updatessupervisory expectations for effective member authenticationmechanisms, layered security and other controls to combat growingidentity theft attacks and online transaction frauds,” said Matz,who's also the first NCUA chairman to chair the multiagencyFFIEC.

“For federally insured credit unions, they will be expected toadapt appropriate strategies to strengthen and enhance controls byJanuary 2012,” Matz said. “Beginning in 2012, at credit unionsoffering electronic services, NCUA examiners will evaluate thesecontrols under the enhanced expectations outlined in thesupplement.”

The 12-page report, “Supplement to Authentication in an InternetBanking Environment,” notes that not all transactions in thegrowing online channel involve the same measure of risk andrecommends financial institutions increase the strength of theircontrols as the risk increases.

And while not recommending specific software solutions, thereport does provide some detail of FFIEC's expectations, includinglayered security programs that involve fraud detection andmonitoring systems, dual customer authorization through differentaccess devices, out-of-band verification for transactions, anddebit blocks and other techniques to screen or limit the amount oftransactions.

Detection of transaction anomalies also was heavily stressed andincluded in the measures the FFIEC said it expected financialinstitutions to use “at a minimum.”

“Based upon the incidents the agencies have reviewed, manual orautomated transaction monitoring or anomaly detection and responsecould have prevented many of the frauds since the ACH/wiretransfers being originated by the fraudsters were anomalous whencompared with the customer's established patterns of behavior,” thenew guidance said.

And while also adding the need for financial education as atool, and the constantly updated use of antimalware software, theFFIEC said it realized that no defenses have proved totallysecure.

“It is important to note, that none of the controls discussedprovide absolute assurance in preventing or detecting a successfulattack,” the council's report said.

Industry participants said the new guidance was a beginningtoward improving security.

“We think the supplemental guidance is a positive step forward,”said Tiffany Riley, vice president of marketing at GuardianAnalytics in Los Altos, Calif. It “sets clear minimum expectationsfor a layered security program that we agree will help preventonline banking fraud. We've seen how effective behavior-basedanomaly detection and transaction monitoring can be.”

Steven Kietz of Woodbury Advisors in New York said, “It lookslike good progress compared to the open-ended nature of the 2005recommendations. Most big banks are already doing thetasks laid out.”

The former executive with JPMorgan Chase, Citigroup and MobileMoney Ventures added, “I would like to see more specificrequirements to prevent fraud, like tokens and using text messagingto issue one-time passwords.”

The FFIEC makes policy recommendations to attempt to achievegreater regulatory uniformity.