Map of El Salvador & flag

Understanding El Salvador’s New Banking Standards

New Measures to Strengthen Security and Prevent Financial Fraud

Financial institutions have fought cyberattacks and fraud for decades. Unfortunately, data from the year-to-date suggest there’s still a long way to go. Globally, fraud attempts against financial services companiesincreased 149%during the first four months of 2021. In the US, they increased 109% in the same period.

In the UK, financial criminals stole a total of£753.9 millionduring the first half of 2021 — an increase of 30% compared to the first half of 2020. And in Latin America, one of thefastest-growing e-commerce markets,massive shift that's underwaytowards e-commerce and mobile-commerce platforms has created hugeopportunities for fraudsters.

Given this landscape, it’s not surprising that El Salvador’s Central Reserve Bank recentlyissued new standardsto help the country’s financial institutions strengthen security systems. EntitledTemporary Technical Standards on Cybersecurity Measures and Identification of Clients in Digital Channels,document lays out detailed technical guidelines for authenticating customers and protecting their financial information.

Here’s what that means for financial institutions that do business in the country.

Unpacking the New Standards on Cyber Security and Digital Channels

El Salvador’s new guidelines establish that financial institutions must use Strong Customer Authentication (SCA) to verify customers’ identity during digital banking transactions.

SCA -欧洲大学提出的要求on’sRevised Payment Services Directive (PSD2)— authenticates people usingmulti-factor authentication (MFA). This helps prevent fraudulent transactions and protects the integrity of the information that financial institutions collect, process, transmit and store on behalf of their customers.

The new standards outline a risk-based authentication process that requires financial institutions to match authentication factors with different transaction risks to protect customer accounts. They classify authentication factors into four categories:

  • Category 1encompasses information obtained from customer contracts to generate security questions
  • Category 2describes characters that are exclusively known to each customer, for example, a PIN or a password
  • Category 3includes dynamic one-time passwords (OTPs) that are generated by electronic devices, likehard and soft tokens
  • Category 4includes biometric data like faces and fingerprints

Digital banking customers must utilize one Category 2 authentication factor to log in to their accounts, plus an additional factor that depends on the type of transaction they are executing:

Operations Enrolling in or discontinuing financial products and services Using financial products, services and payment schedules Paying for services, redeeming benefits, making withdrawals or cash advances, updating passwords or executing electronic transfers to third parties Opening multiple accounts or financial products Updating customer data through online or mobile banking 做调查 Transacting through self-service devices Making electronic payments or transfers from one account to another Cat 2 Cat 2 Cat 2 Cat 2 Cat 2 Cat 2 Cat 2 Cat 2 First Authentication Method Cat 3 Cat 3 Cat 3 Cat 3 N/A N/A N/A N/A Second

Financial institutions in El Salvador — both national and foreign — must comply with the new provisions or face sanctions. In fact, they must guarantee that their procedures ensure that customer data are properly protected throughout the banking journey by these secure authentication methods.

Complying with « Normas Técnicas Temporales Sobre Medidas De Ciberseguridad E Identificación De Los Clientes En Canales Digitales »

Customers will not tolerate an authentication experience that sacrifices convenience in order to meet security requirements. Fortunately, with the rightconsumer authentication solutions, it’s a compromise they don’t have to make.

Adaptive authentication solutions construct comprehensive risk profiles based on multiple parameters from geolocation and device type to biometric factors like how customers typically manipulate a keyboard or mouse. They work behind the scenes to detect and mitigate fraud without disturbing users, and they integrate seamlessly with front-end banking applications.

和他们帮助机构not just meet but exceed the new Salvadoran standards — especially important in a region whose booming financial services market has been accompanied by astartling amount of fraud.

Need help securing your end-to-end banking journey? Visit the HID Globalconsumer authentication hubor read about how the analysts atKuppingerCole rate our authentication platform.

Juan Camilo Arenas is the Business Development Director of IAM Consumer Authentication for Americas at HID Global. He has vast experience in the banking business consulting on regulatory matters, governance and compliance and working with IT Directors in order to improve their financial institution’s security requirements, business agility and mitigation of risk. In the past, Juan Camilo has worked with Atoma Technologies leading operations for Latin America.

RECENT POSTS