Requests for funds transfers are usually received by telephone from correspondents, directly from customers, branch offices, and other institutions. Other transfers are initiated by incoming wires and TWX/Telex, or on a pre-authorized recurring basis based on written instructions received from the customer. Few requests are received by mail because of the delay inherent in this method.

External telephone requests are usually validated by voice recognition if the transfer is pre-authorized and recurring. If not pre-authorized, additional validation techniques such as call-back and password/test codes should be utilized. The inherent fault with passwords and codes is that they may not be maintained in a secure manner nor periodically changed, rendering them ineffective as security measures. A call-back procedure is simply receiving instructions to transfer and returning the call to the customer to ensure the transfer is authorized and accurate. The call-back procedure should be combined with separation of duties for both the customer and the sending institution. This requires two Call-backs people on each side of the transfer. often based on the dollar amount of the transfer, and are both time consuming and expensive; however, a careful evaluation of the potential exposure usually indicates when these additional controls are warranted.

Call-backs

are

to

Internal telephone requests are usually initiated by the account officer at the customer's request. When transfers are made in this manner the process should be thoroughly documented to prevent the arrangement from becoming too informal. should be used verify the funds are being moved for legitimate transactions. In states where the practice is allowed, some institutions are now using tape monitors to record all This meatelephone transfer requests and call-backs. aids the institution sure provides documentation and aids in ensuring the accuracy of transfer messages.

Written instructions may be received by mail, telephone facsimile, internal memorandum and walk-up window using an order form. The primary control for this method of transfer is signature verfication with test codes and dollar limits sometimes used. However, these controls may be waived because of pressure during peak volume periods thus creating potential exposure.

Once a transfer is initiated, institution personnel should verify the availability of adequate DDA balances before executing the transfer, and place a hold on the account to ensure that multiple transfers are not made

against the same balance. Some institutions have fully automated this process. If adequate funds are not availabe, a credit decision must be made. This matter should be addressed in the institution's written credit policy and operating policies for the funds transfer department. Although this procedure is often waived when dealing with "blue chip" companies, multiple transfers against the same balance by a dishonest customer could result in signification losses to the institution. Procedures should also be established to verify account numbers.

Since physical security is the first line of defense, access to the funds transfer department should be restricted to authorized personnel. Within the department access to code books, terminals and terminal training manuals and other security documents should be restricted. Passwords for terminal operators should be changed frequently on an irregular basis. In addition, institution personnel policies should address the particular requirements of the department and ensure adequate screening procedures are in effect. Due to the obvious risk inherent in funds transfer services, it is imperative that institution management perform a thorough risk analysis of the department and establish appropriate policies and procedures.

Most customer-activated EFT systems require some identification of the customer before any transactions are effected. In most cases, a PIN is that identification. This identification may be in numeric variable length form, normally not exceeding six digits, or in alpha or alphanumeric variable length form up to six places. The alpha or alphanumeric code is commonly known as the Personal Identification Code (PIC) and is stored with numeric equivalent simiar to a telephone dial where letters al so have numeric offsets. Throughout this discussion the more widely accepted term, PIN, will be used to denote alpha, mumeric, or alphanumeric codes of indentification.

PINS can be issued in the following ways:

Pre selected

By a random means and assigned to a given account number.

--By a cryptographic technique using the account number.

The positive aspects of a customer-selected PIN are the ease of remembering it and the ability of using a common PIN for several different account numbers. The drawbacks include additional control methods for the PIN selection to ensure that only the customer has access to it. The street addresses, phone numbers, family names, birthdates, "four-letter words", social security numbers, and common sequences of numbers such as llll, 1234, and 9999, are limited as compared to random numbers. A thief acquiring the card with a wallet or pocketbook would have ample information from which to pick a PIN, particularly if unlimited PIN entries were allowed. About the only risk in the irreversible PIN selection technique previously described above would be that an individual acquiring the algorithm would have access to PINs for all customers. But this risk would also be true of an indivudal acquiring the key to a reversible encrypiton technique.

O Assigned as a combination of the above.

For example, an account may come with a pre-assigned PIN but the customer may immediately change it to a PIN more easily remembered.

No matter what PIN selection method is used, a decision must be made about what to do if the customer forgets or loses the PIN. The ability for PIN look-up should 'be controlled. It is safe to state that the more secure systems do not allow any type of PIN look-up or PIN verification. La some instances, however, marketing concerns have required that the customer be served fully and that includes reissuing the same PIN. A customer at an EFT location may call the financial institution and state that their PIN does not work. Some institutions have allowed for PIN look-up to verify that the customer is in fact using the correct PIN and that the system is working properly. An alternative procedure would be for the financial institution to have available test accounts and test PINs. If a customer called questioning the system, the institution would be able to verfiy the status of the system without compromising the customer's PIN. If a PIN look-up is allowed, it should be severely restricted to pre-designated individuals and appropriate authorization should document such action. Some systems require the entry of the existing PIN in order to make changes so the exposure is limited to only those individuals who have access to present PINs which may be maintained on lists. Any such list should only contain the PIN and a sequence number which can be cross referenced to a list of account numbers. Some systems require that the account be closed, a new account be opened, a new EFT vehicle be issued and a new PIN be assigned.

Financial institutions should have procedures to identify a customer when the EFT network is not operational. The options generally available are to temporarily suspend the EFT transactions or to continue as if on-line with either the same or reduced floor limits. From a control standpoint the best alternative is to temporarily suspend operations unless adequate alternatives have been considered. PIN security and account balance verfication will need to be addressed if the location continues to operate. The financial institution will have to decide how to operate without normal PIN verfication. One alternative is to have the PIN encrypted and encoded on the magnetic stripe on the card. Terminals with front-end devices would be able to compare the customer input of the PIN to the encrypted format on the magnetic strip for identification.

If off-line entries are accepted, a corresponding item of concern is how the off-line transactions are to reentered into the system without the customer being present to supply the plastic card and PIN. Some systems may allow for automatic re-entry since the information

has been captured on cassette while in an off-line mode. When the system comes back on-line, the clerk would prompt the machine to re-enter the off-line transactions. Other systems have allowed for the store clerk to override the normal requirement that the plastic and PIN be used and that clerk can input the transactions as if the customer were there. This override feature carries implicit exposures. The probability exists that the clerk is unbonded by either the financial institution or store bonds and management should be made aware of this situation. At a minimum, there should be a separate report of all such transactions and an audit trail to identify the store clerk who made such re-entries. Exception reports should be regularily reviewed to determine trend development. Customer confirmation of certain items may also be considered. The protection of the customer's PIN is vital to any EFT system.

A further protection of the customer's PIN is to allow the customer only a limited pre-set number of attempts to enter their PIN. Some sources recommend three as an acceptable number, but the important factor is the limitation. Such a limit should be software controlled with a corresponding lock-out of the account in the terminals if the limit is exceeded.

The following operational guidelines have been recommended by the American Bankers Association and others:

Storage Guidelines

--Pins should not be stored on plastic cards.

-Unissued PINS should never be stored anywhere. They should be calculated when issued and any temporary or transient computer storage areas used in the calculation must be cleared immediately after use.

-Random PINs and customer-selected PINs should be encrypted on all files and data bases.

Delivery Guidelines

--PINS should not appear in printed form where they can be associated with an account number.

The document designed to be sent to the cardholder containing the PIN and the cardholder's name (but not the cardholer's number) should be processed and delivered under conditions at least as secure as those used in processing and delivering bank cards to the cardholder.