Guidance on Managing Risks Associated With
Wireless Networks and Wireless Customer Access
Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.
Wireless Technology and the Risks of Implementation
Wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Performance enhancements in wireless technology have also made the adoption of wireless networks attractive to institutions. Wireless networks operate at speeds that are sufficient to meet the needs of many institutions and can be seamlessly integrated into existing networks. Wireless networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines.
Wireless Internet access to banking applications is also becoming attractive to financial institutions. It offers customers the ability to perform routine banking tasks while away from the bank branch, automated teller machines or their own personal computers. Wireless Internet access is a standard feature on many new cellular phones and hand-held computers.
Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network. Common risks include the potential:
Compromise of customer information and transactions over the wireless network;
Disruption of wireless service from radio transmissions of other wireless devices;
Intrusion into the institution's network through wireless network connections; and
Obsolescence of current systems due to rapidly changing standards.
These risks could ultimately compromise the bank's computer system, potentially causing:
Financial loss due to the execution of unauthorized transactions;
Disclosure of confidential customer information, resulting in - among other things - identity theft (see FIL-39-2001, "Guidance on Identity Theft and Pretext Calling," dated May 9, 2001, and FIL-22-2001, "Guidelines Establishing Standards for Safeguarding Customer Information," dated March 14, 2001);
Negative media attention, resulting in harm to the institution's reputation; and
Loss of customer confidence.
Security should not be compromised when offering wireless financial services to customers or deploying wireless internal networks. Financial institutions should carefully consider the risks of wireless technology and take appropriate steps to mitigate those risks before deploying either wireless networks or applications. As wireless technologies evolve, the security and control features available to financial institutions will make the process of risk mitigation easier. Steps that can be taken immediately in wireless implementation include:
Establishing a minimum set of security requirements for wireless networks and applications;
Adopting proven security policies and procedures to address the security weaknesses of the wireless environment;
Adopting strong encryption methods that encompass end-to-end encryption of information as it passes throughout the wireless network;
Adopting authentication protocols for customers using wireless applications that are separate and distinct from those provided by the wireless network operator;
Ensuring that the wireless software includes appropriate audit capabilities (for such things as recording dropped transactions);
Providing appropriate training to IT personnel on network, application and security controls so that they understand and can respond to potential risks; and
Performing independent security testing of wireless network and application implementations.
Additional information about wireless networks and wireless customer access appears in the Appendix, available on the FDIC's Web site at www.fdic.gov. You may also contact Jeffrey M. Kopchik, Senior Policy Analyst, E-Banking Branch, Division of Supervision, on 202-898-3872.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (800-276-6003 or (703) 562-2200).