Logging In...and Locking Out Fraud Artists What to know about new federal guidelines for how banks confirm the identity of online users
Many consumers appreciate the convenience and speed of banking and bill paying over the Internet. However, some are concerned about the safety of their money and personal information based on news coverage of fraud artists making unauthorized transfers from accounts. That's why the FDIC and other federal financial regulators recently updated the guidelines on how banks should verify that someone logging on to a bank's Web site is the real owner of a particular account. The new guidelines are effective January 1, 2012.
Here's perhaps the most important change: Under the guidelines in place since 2005, banks were expected to require more than just a password to allow access to an Internet bank account; people logging in also needed to clear a second hurdle, such as correctly responding to a series of questions that only the account owner and the bank knew the answers to. Under the new guidelines, banks also will be expected to have additional layers of stronger security — both before account access is granted and before money can be transferred out of that account.
"For example, your bank may check that the computer you are logging in from is located where you live and not in a foreign country, or it may put a hold on fund transfers that don't match your payment history until the bank can verify the legitimacy of that transaction," explained Jeff Kopchik, an FDIC Senior Policy Analyst who specializes in technology issues.
Also, while most of these new security measures will operate behind the scenes, your bank may contact you about the new controls and any changes in online banking procedures. For that reason, the FDIC and other banking regulators are concerned that fraud artists may attempt to repeat scams that surfaced when the 2005 guidelines were issued. Back then, fraud artists pretending to be bankers sent e-mails asking consumers to "enroll" in a new security program. The fraudulent e-mails asked consumers to provide certain sensitive personal information (such as a password) or to click on a link that appeared to be legitimate but actually installed malicious software — often called malware — that allowed the crooks to spy on the individual's computer.
"In most cases, any new security procedures that your bank implements in response to the new guidelines will not require you to take any action, so be wary of any e-mail that appears to be from your bank and that asks you to provide information such as your password or that asks you to click on an embedded link," warned Laura Lapin, a Section Chief in the FDIC's Technology Supervision Branch.
If you receive such an e-mail and have any concern about its authenticity, contact your bank directly.
Also beginning January 1, 2012, federal examiners will begin reviewing banks' assessments of their online banking risks as well as the new security measures they put in place.