The 5 Basic (but Important) Questions Banks Need Answered Regarding FFIEC Regulatory Compliance

November 14, 2011 by Chris Ryan

This first question in our five-part series on the FFIEC guidance and what it means Internet banking.  Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline.

Question: What does “layered security” actually mean?  

“Layered” security refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.

Consider a customer who logs onto an on-line banking session to execute a wire transfer of funds to another account. The layers of security applied to this activity might resemble:

1.       Layer One- Account log-in. Security = valid ID and Password must be provided

2.       Layer Two- Wire transfer request. Security= IP verification/confirmation that this PC has been used to access this account previously.

3.       Layer Three- Destination Account provided that has not been used to receive wire transfer funds in the past. Security= Knowledge Based Authentication

Layered security provides an organization with the ability to handle simple customer requests with minimal security, and to strengthen security as risks dictate.  A layered approach enables the vast majority of low risk transactions to be completed without unnecessary interference while the high-risk transactions are sufficiently verified.


Look for part two of our five-part series tomorrow.