Transcription

“It’s Me 247” PersonalInternet Branch (PIB)Configuring, Activating, andMaintaining PIB Profiles for YourMembersINTRODUCTIONThis booklet describes the Personal Internet Branch (PIB) System thatprovides layered security controls and member personalization for the It’sMe 247 Internet Banking application. Included are configurationinstructions, rollout tips, and information about how to support PIB onceyou have introduced it to your membership.RELATED REFERENCE MATERIALSThe following materials are companion pieces to this booklet and should bereviewed by your credit union as it develops an implementation plan for PIB.All are available at ence Implementing PIB: Rollout Strategies A to Z “Completing Your Credit Union’s Internet Banking Risk Assessment” andthe Risk Assessment Center sessment-center/)Revision date: May 14, 2019For an updated copy of this booklet, check out the Reference Materials page of our ase-referenceCU*BASE is a registered trademark of CU*Answers, Inc.

CONTENTSOVERVIEWSO JUST WHAT IS PIB?WHY USE LAYERED SECURITY?OTHER TOOLS YOU SHOULD BE USING TO CONTROL RISKPRICINGANSWERS TO YOUR QUESTIONSDEVELOPING A ROLLOUT PLANROLLOUT STRATEGIES A OR BSETTING THE TIMING: THINGS TO THINK ABOUTEDUCATE, EDUCATE, EDUCATECONFIGURING AND ACTIVATING PIBSETTING UP A DEFAULT PIB PROFILECHANGING THE MASTER ARU/ONLINE BANKING CONFIGURATIONSETTING UP OR MODIFYING PIB PROFILES IN CU*BASEUPDATING A PIB PROFILEPIB CONTROLLED FEATURES FOR MOBILE WEBUSING THE PIB PROFILE ONLINE TOOLACCESSING THE PIB PROFILE ONLINEPREVIEW OF THE ONLINE PIB PROFILE SETUP SCREENSOTHER PIB PROFILE SCREENSHOW PIB AFFECTS “IT’S ME 247”ACCEPTING THE CREDIT UNION’S DEFAULT PIB PROFILESETTING UP A NEW PIB PROFILELOGGING IN TO “IT’S ME 247”“IT’S ME 247” SECURE MESSAGE CENTERCONFIRMING TRANSACTIONSSUPPORTING PIBTHE REALITY OF PIB: A SHORT STORYOPENING NEW MEMBERSHIPSACTIVATING A PROFILE FOR A MEMBERREACTIVATING ONLINE ACCESS TO A MEMBER’S PIB PROFILEVIEWING A MEMBER’S PIB PROFILEUPDATING ONLINE BANKING ACCESS / 5659596161636465SAMPLE EMAILS TO MEMBERS66REVIEWING PIB ACTIVITY & SECURITY ALERTS69VIEWING A MEMBER’S PIB MESSAGE HISTORY IN CU*BASEWHAT ACTIVITY IS LOGGED?APPENDIX“CHEAT SHEET” FOR MSRSANSWERING FREQUENTLY-ASKED QUESTIONS FROM MEMBERS23“It’s Me 247” PIB Configuration & User Guide7072737375

OVERVIEWYou’ve completed your latest Internet Banking Risk Assessment process,have you? If your assessment has concluded that you need to implementadditional authentication features for It’s Me 247, now what? That’s wherePIB comes in.SO JUST WHAT IS PIB?PIB provides a layered security approach to add additional authenticationcontrols for It’s Me 247. PIB, which stands for Personal Internet Branch, isan independent application that provides multiple, configurable controls thatgovern how It’s Me 247 behaves and what members can do in onlinebanking.PIB allows your members to control access to their accounts with controls byfeature, day of week, time of day, and even geographic location. It layersadditional confirmation codes and member authentication internal to It’s Me247.Your credit union can configure default PIB settings for your members, andyou can even decide just how much control you want your members to havein managing their own settings.CU*Answers designed PIB to go far beyond just complying with the latestregulatory expectations and provide some real value to your members. It’s apowerful feature. It does some really cool things. It’s something new andprobably very different from what most of your members have ever seenbefore.But with that power comes necessary complexity and the need for carefulconsideration. Make sure you go in with your eyes wide open.WHY USE LAYERED SECURITY?A bad guy somehow gets your It’s Me 247 user name and password. Whatcan he do while he’s there? The more controls you have in place, the lessthat bad guy (or gal) can do to hurt you.Of course you must balance the relative safety of disabling access againstyour convenience in doing what you want to do with your accounts.Imagine if you put a different lock on every door in your houseand locked them all, all of the time. Even if a burglar managedto get in your front door, he would be thwarted every time hetried to go into one of the rooms. However, it would makeliving in your house very inconvenient for you and your family.So you weigh these two extremes and come up with something in the middle.On your house, you make the front door very difficult to enter, and you putyour valuables in a safe with a combination lock. Online, you set upcontrols that make it difficult for someone other than you to log in, then youput extra locks in place by deactivating certain features or requiring asecond confirmation code wherever you want extra protection.“It’s Me 247” PIB Configuration & User Guide3

OTHER TOOLS YOU SHOULD BE USING TO CONTROL RISKRemember that your credit union’s responsibility for mitigating risk doesn’tstop when you flip the switch to turn on PIB. Your policies and proceduresrelated to offering and supporting online banking services for members arejust as important. Make sure you have also considered: Your password controls and education program.Will you enforce complex passwords for It’s Me 247 and educatemembers on the importance of keeping passwords secure? Now is thetime to implement this change, regardless of your plans to implement PIB. How you manage resetting passwords for members.How do you authenticate a member who calls on the phone asking for hispassword to be reset? Is the member’s identity carefully verified? Whocan handle a reset? Are resets logged? Can a member ask an MSR toenter a specific custom password for them over the teller line? (Yes, thereis a CU*BASE configuration feature that controls whether that feature isavailable or not!) Your policies and procedures for how online banking is implementedfor new memberships.Does every new member get it by default, or do you have a monitoredsignup process? (Refer to the separate “Strategies for Controlling MemberAccess to It’s Me 247” document for some tips.) Policies for expiring passwords when members don’t use onlinebanking regularly.This should be part of your dormancy monitoring policy. (Refer to the “It’sMe 247 Strategies for Controlling Member Access” document for tips aboutexpiring passwords for inactive members.) How online banking access is covered in your dormancy policies andprocedures.If you do not use the It’s Me 247 password expiration feature, do youdeactivate online banking access when members go dormant? Your approach for how members move money on the Internet.How will you configure It’s Me 247 to manage money movement, whetherit be internal to the membership, from one member to another or financialinstitutions? More than just share to share transfers, we’re also talkingabout disbursing loans to checking accounts or the way people makepayments. Having a comprehensive plan that can evolve with newtechnologies related to money movement is important to your annual riskassessment. Your approach to how members manage their identity on theInternet.How do you feel about options that identify who they are (addressmaintenance), who they do business with (bill pay or AFT), or where theirdirect deposits come from (ACH)? Having a strategy that allows membersto do these things but also protects the way they do it is important. Do youhave a plan for how members opt out of these functions?Remember, it’s not just the tools you use (It’s Me 247); it’s the strategiesthat set the tone for where you are going with Internet services. It’s thebehind the scenes, people things in your office that create the overallInternet risk you have. How easy is it for someone to call a credit union4“It’s Me 247” PIB Configuration & User Guide

employee and have a password reset without identifying themselves? Thisisn’t technical, this is social.PRICINGCU*Answers will not charge you any fees to use the PIB system for yourmembers, and there is no up-front implementation cost. If members use theonline tool to adjust their PIB Profile that will not be counted toward yourIt’s Me 247 logins.So yes, PIB is “free,” at least as far as the line items on your CU*Answersinvoice go. You will, of course, still need to plan for increased staff trainingtime, increased phone support for your members, changes to internalprocedures such as opening new memberships, and ongoing marketing andeducation efforts.ANSWERS TO YOUR QUESTIONSQ: Is PIB the same as multi-factor authentication?A: No. PIB is a layered security solution, which is one of the three methodsrecommended by the NCUA to comply with the “Guidance on Authenticationin Internet Banking Environment” (letter 05-CU-18). Remember that youonly need to select one of the three available methods. (The other twomethods are multi-factor authentication, and “other controls,” the NCUA’sway of allowing for technology that doesn’t even exist yet.)Although the term “multi-factor authentication” is sometimes misused andoften misunderstood, what most people mean is actually two-factorauthentication:Factor One: Something You Know (a username, password, PIN, etc.)Factor Two: Something You Have (a USB token that generates passwords,a fingerprint, a dongle, a smart card, etc.)Two factor authentication generally requires customers who want to log intotheir accounts online to use a username and password (single factorauthentication) and a small token that generates a new password everyminute or so (two factor authentication).In 2006 CU*Answers began reviewing token strategies with multiplepartners. Based on lukewarm interest from our current credit unions tomove too quickly in adding this expense to their programs or additionalinconvenience for their members, CU*Answers has not made a final decisionon which solution to choose.We do believe that credit unions with aggressive programs (investmentmanagement, A2A, etc.) will have an audience for tokens (5% of onlinebanking users).This strategy is based on a shared CUSO investment insetting the foundation for tokens. Should a CU deem itimmediately necessary to add tokens to their program,CU*Answers will work directly with that credit union on theinvestment they need to make.“It’s Me 247” PIB Configuration & User Guide5

Q: I heard someone in the industry say that dual authentication is mandatedby FFIEC for anyone doing high risk transactions, like bill pay and movingmoney to another account. Who’s right?A: Here’s what NCUA letter 05-CU-18 says:“You should identify and evaluate the risks associated with the Internetrelated services you provide for your members.“Where the risk assessment indicates that the use of single-factorauthentication is inadequate for the types of services period [sic], you shouldemploy multifactor authentication, layered security, or other controls.”So yes, if your risk assessment says that bill pay and moving money to otheraccounts are high-risk transactions, then you have to implement anadditional authentication method. That means multifactor, or layered, orother controls.Q: Do I have to turn on PIB right away?A: No! It’s Me 247 will continue to work just fine whether you decide toactivate PIB or not.In fact, you should not activate a change this significant without somecareful planning and preparation. You need a plan. A plan for marketingthe change to members. A plan to train your staff. A plan for rolling out thechanges with an acceptable level of disruption to members and staff. A planto handle the increase in phone calls and frustrated members. A plan tomake this part of your process for opening new memberships. A plan forongoing marketing and reinforcement.Remember that if your risk assessment indicates that no new authenticationmethods are needed right now, you can spend some time deciding whetherPIB is right for you, then flip the switch when the time is right.Q: Can I just turn off features that I think are high-risk?A: Actually, yes. And you could always do this. Features such as intermember transfers, AFT/CFT maintenance, and personal information updatehave always been optional features you can deactivate. Depending on yourmembers’ needs, this may be a viable option to reduce the risk of offeringonline banking to your members. The key phrase here is, “your members’needs.” Simply turning off features you think are risky doesn’t mean yourmembers won’t still need to do those things.Q: Can I turn on PIB but make it more “transparent” to reduce the impact?A: There are a couple of ways you can plan your rollout to reduce theimmediate impact on members. In fact, a phased-in implementation methodwill be the best way to go for any credit union. Take a look at Page 8 formore details.Q: What if my members don’t want to set up a PIB profile? Is there a defaultprofile we can set up for them?A: Yes, your credit union can set up a default PIB Profile for all members.This includes things like on/off flags for individual features, and maximumtransaction amounts. This is in addition to the controls you already haverelated to It’s Me 247.Be aware that the default settings are limited to those controls that don’trequire the member to make a decision. For example, features such aspersistent cookies and geo-location tools must be initiated by the member6“It’s Me 247” PIB Configuration & User Guide

using his or her actual computer. As another example, there is a featurethat allows for a secondary password, called a confirmation code, to berequired for certain types of transactions. Since the member needs to set upthat code, that requirement won’t be part of your default, but you could stillmake it part of your procedure when setting up a new profile with a member.The point is that depending on what controls you want to specify as thedefault, you may still need to get the member involved at least by talkingwith a CU representative to complete certain settings.“It’s Me 247” PIB Configuration & User Guide7

DEVELOPING A ROLLOUT PLANAlthough PIB can technically be activated by just changing a few flags inCU*BASE, to say it will have a huge impact on your members and yourmember service staff is an understatement. Suffice it to say that your callvolume will increase significantly after implementation as members begin tolearn and experiment. You need a comprehensive plan and rolloutstrategy.Enter into this new arena with your eyes wide open and a thoroughunderstanding of how this might change the way you serve members morethan anything else your credit union has ever done in the past.ROLLOUT STRATEGIES A OR BThe following sample strategies will help you decide how you will activate PIBand implement it. Either way, move carefully, one step at a time, tominimize the negative impact on members and stress on your memberservice resources. For a complete checklist of tasks and instructions for configuring,marketing, and implementing PIB according to each of thesescenarios, refer to the separate document, “Implementing PIB:Strategies From A to Z.”Scenario A: Keep It Simple State CUKISSCU has limited member service resources and a membership that is notvery aggressive about the credit union’s online services. Because their riskassessment has determined the need for stronger controls for It’s Me 247,they want to add an additional layer of security (that they control) to It’s Me247 for high risk members or members who want a higher level of security.This strategy will allow the CU to maintain complete control over the PIBprofile and not allow members to use the online tool, while still making iteasy for members to begin using a profile with a minimum of one-on-onecontact with an MSR.81Implement complex password controls2Train staff on new PIB procedures; update internal procedure for settingup online banking for new members3Notify existing online banking members of changes coming to It’s Me 2474Activate PIB configuration and default PIB Profile5Update high risk member’s PIB profiles, as well as members who want ahigher level of security.“It’s Me 247” PIB Configuration & User Guide

Scenario B: Step By Step CUSBSCU’s strategy is similar to the one used by KISSCU, except that afterthey have rolled out the basic PIB system to members, they want to addmore security layers and personalization by introducing the confirmationcode feature to members.They still want to maintain close control over PIB Profile settings and workwith members directly to adjust any settings, rather than open up access tothe online tool.1Complete all steps under Scenario A (above)2Six months after initial implementation, market to online bankingmembers the ability to add a confirmation code to certain online bankingfeatures3As members respond, MSR will modify the member’s PIB Profile inCU*BASE, activating the confirmation code for the desired features andentering the code the member wishes to useNOTE: These steps could then be repeated at appropriate intervals tointroduce other PIB features, one at a time. This method allows the CU tomaintain control and keep things simple while also reinforcing their messageabout their commitment to member security over time.Scenario Z: Web Savvy Members CUWSMCU has a large base of web-savvy members who are aggressive aboutpushing for new features and increased control. Although WSMCU wants toroll out PIB carefully, ultimately they do want to provide members withcomplete control over their Profile and all of PIB features available, includinggeographic controls and PC registration tools only offered through the onlinetool.1Complete all steps under Scenario B (above)2Train staff on new PIB procedures; update internal procedure for settingup online banking for new members3Notify Members of PIB online tools4Activate all features in your Master parameters, so that any adjustmentsthat a member makes to his PIB Profile will work as expected. (Rememberthat you already set up your default profile to deactivate any features youconsidered “risky,” so that the member would be responsible to activatingthat feature if he or she was willing to accept the risk.)5Modify PIB configuration to allow members to adjust their PIB profile usingthe online tool“It’s Me 247” PIB Configuration & User Guide9

SETTING THE TIMING: THINGS TO THINK ABOUTThe timing for this will depend on many different factors, all of which shouldbe carefully considered to minimize the stress and confusion ofimplementing a product as complex and powerful as PIB. What rollout strategy (above) best fits your situation? If one of theseisn’t exactly right, do you completely understand the flow and what theeffect will be on your members of each step in the process? Is your staff ready? How much time do you have to devote to stafftraining? Do you have the necessary resources in place to handle theincreased call volume once PIB is released to the membership at large?Are procedures in place for verifying identity for members who callwanting their settings to be changed? Are your members ready? How technically-savvy are your members?Do you already have an established pattern of regular communicationswith your Internet members that can be used to keep them informed andget them excited? Are you offering all of the features It’s Me 247 offers? If you plan toopen up the online tool, you must activate all of the features in yourmaster configuration so that any feature the member turns on willactually work. (PIB doesn’t hide a feature from the member just becauseyou don’t offer that feature at your credit union. See Page 16 for moreinformation.) How many changes do you need to implement at the same time? Ifyour credit union has never set up transfer control lists, members willeither need to be educated on how to use PIB to do that, or your MSRsneed to be ready to handle the initial onslaught of reques