Meeting and exceeding the FFIEC Risk Assessment Guidance

The 2011 FFIEC Internet Banking Guidance calls for Financial Institutions to perform periodic risk assessments - at least every 12 months, prior to implementing new electronic financial services, and as new information becomes available.

Proactive, External  Testing of your Customer Security Controls

The Fraud Red Team is a proactive Risk Assessment Service that tests how identity management, authentication and fraud detection controls are working within and across customer access channels (e.g. online banking, mobile banking and telephone banking).

What Our Tests Include

The Guidance stipulates that Risk Assessments should consider factors such as changes to the threat environment, changes to functionality, changes to the online customer base, and actual incidents of identity theft or fraud.  Our test library is updated with the latest fraud exploits, many of them supplied to us by the Bank’s who use our Service.  Our tests are flexible and can accommodate special case testing based on areas of concern or recent fraud / identity theft incidents. They are also expansive and already include many of the new banking features that early adopter Bank’s are starting to bring online (e.g. remote deposit capture, P2P payments). Finally, they are adaptable to multiple businesses and customer types such as retail, commercial, brokerage.

A New Approach to Risk Assessment

The Fraud Red Team is different than traditional risk assessments such as paper based check lists, and fraud defect analysis. Paper based assessments describe the controls in place and how they protect high risk transactions. Fraud Red Team tests how the controls are actually implemented in production, how they are working and how they are aligned across channels.

Defect analysis identifies gaps and weaknesses  that exist after the Fraud has occurred and after customers have been disrupted. Fraud Red Team proactively tests for gaps and weaknesses and in many cases finds weaknesses ahead of the fraudster. However, unlike the fraudsters, we provide Banks with a Report on what we discovered and insight on what we did.