Snippet: Regulatory bodies around the world continue to issue security advisories related to online and mobile banking, especially when it comes to securing high-risk, high-value digital transactions.

Regulatory bodies around the world continue to issue security advisories related to online and mobile banking, especially when it comes to securing high-risk, high-value digital transactions. In a fast-changing environment, establishing and maintaining rigorous standards helps build consumer confidence and drives mass market acceptance. This is particularly true where user safety is a factor: for governments, engineering a more secure digital environment for their citizens is a vital concern.

Below, we summarize recent guidance from a cross section of countries in order to discern what regulators typically require of an effective strong authentication regime.

European Central Bank

Starting August 1, 2015, all payment gateways, issuers, and acquirers operating in the Single Euro Payment Area (SEPA) will be required by the European Central Bank (ECB) to use strong authentication to verify a customer’s identity when they initiate online and mobile based payments or access or amend sensitive payment data over these channels. Those organizations that do not comply with the ECB’s mandate will be liable for fraud on their networks.

The ECB and European Banking Authority define strong customer authentication as a procedure based on the use of two or more of the following elements – something only the user knows, something only the user has, and something the user is. In addition, the elements selected must be mutually independent, meaning the breach of one does not compromise the others. At least one of the elements should be non-reusable and non- replicable, and not capable of being surreptitiously stolen via the Internet.

Federal Financial Institutions Examinations Council

In 2011, the FFIEC issued an update to its initial guidance to US financial institutions on providing effective user authentication online, Authentication in an Internet Banking Environment. This update specifically recommends multi-factor authentication be offered to business banking customers for high-risk transactions. It also discusses the advantages of out-of-band authentication in protecting these transactions.

Monetary Authority of Singapore

One of the strictest sets of standards in effect anywhere in the world is the Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines, which applies to all financial institutions active in the country.

The MAS guidelines dictate two-factor authentication for login to all online financial systems and transaction-signing for authorizing a wide range of transaction types, including high-value payments, changes to contact details, revision of transfer limits, and setup of payees. Customers must be notified of each high-risk transaction and digitally sign them – all on an out-of-band device.

Central Bank of the Republic of China (Taiwan)

In Taiwan, all digital banking transactions must be classified as either high or low risk. High-risk transactions are only permitted if a two-factor authentication solution is in place. Any data used to identify the user must be digitally signed, as well as the actual transactions. Messages to be signed should be encrypted and, once signed, should be tamper-evident, ensuring data integrity and confidentiality.

Authentication technology must support custom digital certificates that comply with specific Taiwanese regulations. As in Singapore, OTPs may be used for certain types of low-risk transactions, but can be replaced by a digital signature scheme to satisfy the requirements for both low- and high-risk transactions.

Central Bank of Egypt

A circular focusing on Internet banking regulation issued by the Central Bank of Egypt in November 2014 mandates that a range of remote banking transactions be secured through two-factor authentication. It specifically recommends solutions that combine knowledge and possession factors. These hardware or software-token–based solutions must support nonrepudiation through digital transaction signing and ensure full data integrity and confidentiality.

Strong multi-factor user authentication is vital in mitigating the threats of identity theft and account takeover by cybercriminals. For more information on strong authentication best practices, download Entersekt’s complimentary white paper, Muscling up on strong authentication: Best practices.

Subscribe to our blog.

Entersekt editor

Entersekt editor

An avid scowler and violent sharpener of pencils, Editor’s bark is worse than her bite. Every scrap of writing that crosses her desk she treats with the same care she would her own privately published comic verse. Any orphans and misfits, she takes under her wing. After hours, she practices amateur type design and represents her local library in extreme kerning competitions.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.