The
"The Board's consent cease and desist order with Wells Fargo requires the firm to improve its governance and risk management processes, including strengthening the effectiveness of oversight by its board of directors."
While the Fed’s action is laudable, its focus on management and board failures stops far short of preventing this from happening again, and misses a fundamental truth. The Wells Fargo fiasco was made possible by a failure to follow existing federal guidelines that require financial institutions to employ multi-factor customer authentication.
To bypass the customer in setting up millions of phony accounts, Wells Fargo employees took advantage of the bank’s continuing reliance on single factor authentication: employees were easily able to impersonate customers by using just one method of validation: personal information they already possessed (SSNs, dates of birth).
Yet federal guidelines exist which direct banks to employ multi-factor authentication: something you know (e.g., SSN or date of birth), something you have (e.g., a driver’s license, credit card or trusted phone) and something you are (e.g., your fingerprint).
If existing federal guidelines had been followed, no fake accounts could have been opened. And the truly frightening reality is that Wells Fargo is not unique. Many FDIC insured banks still are not complying with multi-factor authentication guidelines.
This scandal is a wake-up call. It’s time for strong enforcement of the current FFEIC (FDIC) guidance, “Authentication in an Internet Banking Environment.”
Technology exists today that would make these guidelines easy to follow. It’s time to combat the high cost of reliance on single-factor authentication to individuals, businesses and the government. And it’s time to restore consumers’ trust in their government and their financial institutions.
