Map of El Salvador & flag

Understanding El Salvador’s New Banking Standards

New Measures to Strengthen Security and Prevent Financial Fraud

Financial institutions have fought cyberattacks and fraud for decades. Unfortunately, data from the year-to-date suggest there’s still a long way to go. Globally, fraud attempts against financial services companies increased 149% during the first four months of 2021. In the US, they increased 109% in the same period.

In the UK, financial criminals stole a total of £753.9 million during the first half of 2021 — an increase of 30% compared to the first half of 2020. And in Latin America, one of the fastest-growing e-commerce markets, the massive shift that's underway towards e-commerce and mobile-commerce platforms has created huge opportunities for fraudsters.

Given this landscape, it’s not surprising that El Salvador’s Central Reserve Bank recently issued new standards to help the country’s financial institutions strengthen security systems. Entitled Temporary Technical Standards on Cybersecurity Measures and Identification of Clients in Digital Channels, the document lays out detailed technical guidelines for authenticating customers and protecting their financial information.

Here’s what that means for financial institutions that do business in the country.

Unpacking the New Standards on Cyber Security and Digital Channels

El Salvador’s new guidelines establish that financial institutions must use Strong Customer Authentication (SCA) to verify customers’ identity during digital banking transactions.

SCA — a requirement introduced by the European Union’s Revised Payment Services Directive  (PSD2) — authenticates people using multi-factor authentication (MFA). This helps prevent fraudulent transactions and protects the integrity of the information that financial institutions collect, process, transmit and store on behalf of their customers.

The new standards outline a risk-based authentication process that requires financial institutions to match authentication factors with different transaction risks to protect customer accounts. They classify authentication factors into four categories:

  • Category 1 encompasses information obtained from customer contracts to generate security questions
  • Category 2 describes characters that are exclusively known to each customer, for example, a PIN or a password
  • Category 3 includes dynamic one-time passwords (OTPs) that are generated by electronic devices, like hard and soft tokens
  • Category 4 includes biometric data like faces and fingerprints

Digital banking customers must utilize one Category 2 authentication factor to log in to their accounts, plus an additional factor that depends on the type of transaction they are executing:

Operations Enrolling in or discontinuing financial products and servicesUsing financial products, services and payment schedulesPaying for services, redeeming benefits, making withdrawals or cash advances, updating passwords or executing electronic transfers to third partiesOpening multiple accounts or financial productsUpdating customer data through online or mobile bankingMaking inquiriesTransacting through self-service devicesMaking electronic payments or transfers from one account to another Cat 2Cat 2Cat 2Cat 2Cat 2Cat 2Cat 2Cat 2 First Authentication Method Cat 3Cat 3Cat 3Cat 3N/AN/AN/AN/A Second

Financial institutions in El Salvador — both national and foreign — must comply with the new provisions or face sanctions. In fact, they must guarantee that their procedures ensure that customer data are properly protected throughout the banking journey by these secure authentication methods.

Complying with « Normas Técnicas Temporales Sobre Medidas De Ciberseguridad E Identificación De Los Clientes En Canales Digitales »

Customers will not tolerate an authentication experience that sacrifices convenience in order to meet security requirements. Fortunately, with the right consumer authentication solutions, it’s a compromise they don’t have to make.

Adaptive authentication solutions construct comprehensive risk profiles based on multiple parameters from geolocation and device type to biometric factors like how customers typically manipulate a keyboard or mouse. They work behind the scenes to detect and mitigate fraud without disturbing users, and they integrate seamlessly with front-end banking applications.

And they help institutions not just meet but exceed the new Salvadoran standards — especially important in a region whose booming financial services market has been accompanied by a startling amount of fraud.

Need help securing your end-to-end banking journey? Visit the HID Global consumer authentication hub or read about how the analysts at KuppingerCole rate our authentication platform.

Juan Camilo Arenas is the Business Development Director of IAM Consumer Authentication for Americas at HID Global. He has vast experience in the banking business consulting on regulatory matters, governance and compliance and working with IT Directors in order to improve their financial institution’s security requirements, business agility and mitigation of risk. In the past, Juan Camilo has worked with Atoma Technologies leading operations for Latin America.