| ๐ผ 1 Products and services delivered via digital channels can introduce additional information security vulnerabilities which, if exploited, could result in potentially material information security incidents impacting beneficiaries. APRA-regulated entities would typically implement preventative, detective and response controls commensurate with these risks. Common controls include: | 5 | | | |
| ย ย ย ย ๐ผ a. authentication controls commensurate with the vulnerability and threats associated with the products and services offered. This could include usage of a second channel notification/confirmation of events (e.g. account transfers, new payees, change of address, access from an unrecognised device); | | | | |
| ย ย ย ย ๐ผ b. limits to ensure losses are within risk tolerances (e.g. transfer limits, daily transaction limits); | | | | |
| ย ย ย ย ๐ผ c. transaction activity monitoring to detect unusual patterns of behaviour and review of loss event trends which may trigger the need for additional controls (e.g. fraud and theft losses); regular review of customer education and security advice to ensure that it remains adequate and aligned with common industry practice; | | | | |
| ย ย ย ย ๐ผ d. documented and communicated procedures for incident monitoring and management of fraud, data leakage and identity theft; | | | | |
| ย ย ย ย ๐ผ e. minimising the collection of sensitive customer information beyond what is relevant to the business activities undertaken. This includes customer information used for the purposes of authentication, such as passwords/PINS. | | | | |