Customer education is mandatory under the Federal Financial Institutions Examination Council or FFIEC guidance supplement entitled Authentication in an Internet Banking Environment. The supplemental guidance provided by FFIEC requires financial institutions which offer Internet-based products and services to take a more proactive approach in their information protection efforts by recognizing that financial consumers are often the weakest link in the protection of their own private information, thus, requiring effective customer risk awareness and education regarding identity protection. In summary, the FFIEC supplemental guidance requires periodic risk assessments to identify security threats to online accounts and adjust controls relevant to layered security, customer authentication, and customer risk awareness and security education.
As mentioned above, banks and all other financial institutions must provide two levels of education to their customers. First, they must educate their customers about the information security threats facing customers and their online accounts, and second, educate them about counter-measures to deal with the threats, thus reducing the overall security and privacy risk facing customer information.
The best way for a company to define the scope of its customer risk awareness and information protection education is to perform a risk assessment based on threats targeting consumers. This mandatory risk assessment can be combined with other relevant corporate risk assessments including the identity theft risk assessment under the Red Flags Rule to identify specific threats and countermeasures that consumers must be aware and reminded of constantly in order to be alert and apply due diligence at all times when accessing their online accounts. Defining the scope of the customer education is very important because the ultimate program is one which reduces online account security risk to the lowest level while maintaining the lowest costs possible for designing and implementing such customer security awareness and education program.
Lack of educated customers has long been a recognized business risk which is just starting to be addressed under federal laws such as the FFIEC. Although, this law is a good starting point, it is a matter of time for other regulations to also address customer education in non-financial institutions such as insurance, healthcare, hospitality, and social media industries which are exposed to higher identity theft risks.
For effective customer education and risk assessment, Become a Certified Red Flag Specialist (CRFS) and join the identity theft prevention and compliance experts.