IT Examiner School eBook

o Enhanced authentication for higher risk activities, such as external transfer of funds

o Re-authentication after period of inactivity

o Procedures to adjust authentication controls based on risk assessments

• Transaction risk

o Ability to detect, prevent, and respond to fraudulent or anomalous activity

o Ability to leverage location features for fraud detection

• Customer education

o Social engineering

o Phishing

o Anti-virus/malware

o Public Internet access

• Compliance and Legal risks

o BSA/AML compliance (recordkeeping, screening, and reporting requirements)

o Consumer and privacy disclosures

• Reputation risk

o Cyber threats

o Lack of availability

Control Test

Review the electronic banking risk assessment for compliance with the FFIEC Guidance on Authentication in an Internet Banking Environment (2005 and 2011).

Procedure 26

In addition to the electronic banking controls listed above, evaluate the adequacy of the following controls specific to mobile banking:

• On-device data security

o Customer education regarding the use of PINs or passwords on devices

o Controls to avoid retaining unnecessary sensitive information on devices

o Encryption of any sensitive information stored on devices

o Secure wiping of sensitive information from memory upon exiting the application

o Authentication when re-entering the application

InTREx Mapping

31

Tandem, LLC | Copyright © 2024

Confidential - Internal Use Only