Map of El Salvador & flag

Understanding El Salvador’s New Banking Standards

New Measures to Strengthen Security and Prevent Financial Fraud

Financial institutions have fought cyberattacks and fraud for decades. Unfortunately, data from the year-to-date suggest there’s still a long way to go. Globally, fraud attempts against financial services companies increased 149% during the first four months of 2021. In the US, they increased 109% in the same period.

In the UK, financial criminals stole a total of £753.9 million during the first half of 2021 — an increase of 30% compared to the first half of 2020. And in Latin America, one of the fastest-growing e-commerce markets, the massive shift that's underway towards e-commerce and mobile-commerce platforms has created huge opportunities for fraudsters.

Given this landscape, it’s not surprising that El Salvador’s Central Reserve Bank recently issued new standards to help the country’s financial institutions strengthen security systems. Entitled Temporary Technical Standards on Cybersecurity Measures and Identification of Clients in Digital Channels, the document lays out detailed technical guidelines for authenticating customers and protecting their financial information.

Here’s what that means for financial institutions that do business in the country.

Unpacking the New Standards on Cyber Security and Digital Channels

El Salvador’s new guidelines establish that financial institutions must use Strong Customer Authentication (SCA) to verify customers’ identity during digital banking transactions.

SCA — a requirement introduced by the European Union’s Revised Payment Services Directive  (PSD2) — authenticates people using multi-factor authentication (MFA). This helps prevent fraudulent transactions and protects the integrity of the information that financial institutions collect, process, transmit and store on behalf of their customers.

The new standards outline a risk-based authentication process that requires financial institutions to match authentication factors with different transaction risks to protect customer accounts. They classify authentication factors into four categories:

  • Category 1 encompasses information obtained from customer contracts to generate security questions
  • Category 2 describes characters that are exclusively known to each customer, for example, a PIN or a password
  • Category 3 includes dynamic one-time passwords (OTPs) that are generated by electronic devices, like hard and soft tokens
  • Category 4 includes biometric data like faces and fingerprints

Digital banking customers must utilize one Category 2 authentication factor to log in to their accounts, plus an additional factor that depends on the type of transaction they are executing:

OperationsEnrolling in or discontinuing financial products and servicesUsing financial products, services and payment schedulesPaying for services, redeeming benefits, making withdrawals or cash advances, updating passwords or executing electronic transfers to third partiesOpening multiple accounts or financial productsUpdating customer data through online or mobile bankingMaking inquiriesTransacting through self-service devicesMaking electronic payments or transfers from one account to anotherCat 2Cat 2Cat 2Cat 2Cat 2Cat 2Cat 2Cat 2FirstAuthentication MethodCat 3Cat 3Cat 3Cat 3N/AN/AN/AN/ASecond

Financial institutions in El Salvador — both national and foreign — must comply with the new provisions or face sanctions. In fact, they must guarantee that their procedures ensure that customer data are properly protected throughout the banking journey by these secure authentication methods.

Complying with « Normas Técnicas Temporales Sobre Medidas De Ciberseguridad E Identificación De Los Clientes En Canales Digitales »

Customers will not tolerate an authentication experience that sacrifices convenience in order to meet security requirements. Fortunately, with the right consumer authentication solutions, it’s a compromise they don’t have to make.

Adaptive authentication solutions construct comprehensive risk profiles based on multiple parameters from geolocation and device type to biometric factors like how customers typically manipulate a keyboard or mouse. They work behind the scenes to detect and mitigate fraud without disturbing users, and they integrate seamlessly with front-end banking applications.

And they help institutions not just meet but exceed the new Salvadoran standards — especially important in a region whose booming financial services market has been accompanied by a startling amount of fraud.

Need help securing your end-to-end banking journey? Visit the HID Global consumer authentication hub or read about how the analysts at KuppingerCole rate our authentication platform.

Juan Camilo Arenas is the Business Development Director of IAM Consumer Authentication for Americas at HID Global. He has vast experience in the banking business consulting on regulatory matters, governance and compliance and working with IT Directors in order to improve their financial institution’s security requirements, business agility and mitigation of risk. In the past, Juan Camilo has worked with Atoma Technologies leading operations for Latin America.


HID Origo™ 개발자 포털 소개

HID Origo™ 개발자 포털의 가용성에 대한 소식을 전해 드릴 수 있게 되어 기쁘게 생각합니다. 이 포털에서는 기술 파트너들에게 직원들의 물리적 및 디지털 경험과 기술이 혼재하는 앱과 API 통합을 구축하는 데 필요한 도구와 지원을 제공합니다.

10월은 국가 사이버 보안의 달입니다

매년 10월은 정부와 사이버 보안 업계가 협력을 도모하기 위해 지정한 국가 사이버 보안 인식의 달(NCSAM)입니다. 이 교육 기간 동안 유익한 정보를 통해 기업과 개인이 온라인에서 스스로를 보호할 수 있는 방법에 대한 인식을 고취시킬 수 있습니다.