Academic journal article ABA Banking Journal

Read This before You Take Multi-Factor Plunge: Regulators Say Multi-Factor Authentication Is an Option Not a Requirement

Academic journal article ABA Banking Journal

Read This before You Take Multi-Factor Plunge: Regulators Say Multi-Factor Authentication Is an Option Not a Requirement

Article excerpt

Banks offering internet-based services have been wrestling with a thorny issue since last year's regulatory fiat on authentication methods. Few recent compliance challenges have been the subject of so much misinformation, rumor, and misunderstanding.

The interagency announcement, "Authentication in an Internet Banking Environment," issued in mid-October 2005 by the Federal Financial Institutions Examination Council, requires that banking companies review their internet-based offerings and determine which should be subjected to enhanced authentication measures on the behalf of both commercial and consumer customers. The exercise is not only supposed to be completed by yearend, but areas of weakness identified in the course of the review are expected to have been addressed through improved procedures.

In many cases, the expected shift in security format would be from "single-factor" authentication to "multi-factor" authentication. "Single-factor" authentication requires only asking that customers provide one form of identification to access services, which the agencies consider inadequate for high-risk transactions conducted under modern conditions. A typical single-factor scheme would use a log-on ID and a password only.

The agencies want banks to adopt "multi-factor" approaches for high-risk transactions, or other approaches that address the heightened possibility that client accounts could be infiltrated. Authentication can take three forms, generally: something the user knows (such as a password or number); something the user has (such as a "fob" or a token, devices that plug into their home computer that demonstrates authenticity and generates codes); and something the user is (such as a fingerprint or an eye scan).

The regulators insist that not only is customer account security at risk, but also much more. Preventing electronic money laundering and terrorism financing; decreasing online identity theft; and reducing fraud and ensuring enforceability of online business arrangements all hinge on security being maintained, the regulators state in their announcement.

The clock is ticking ... and some banks are starting from a point of confusion. During ABA's National Conference for Community Bankers earlier this year, panelists from ABA, the agencies, and a vendor addressed the new guidance.

Starting out right

In some quarters, the announcement has been regarded as a mandate for an industrywide switch to multi-factor authentication. This substantially overstates things, according to speaker Jeffrey M. Kopchik, senior policy analyst, FDIC.

"The guidance does not mandate multifactor authentication," said Kopchik. "It calls for adequate security, and multi-factor is one way of doing it."

There was a method to the agencies' missive, according to Kopchik. Mandating a specific security regimen in a formal guidance would have been futile, and was rejected, he said, because the pace of change in this area is so rapid that maintaining a "state of the art" regulatory document would require reissuances at six-month intervals. Today's iron-clad protection is tomorrow's busted technology.

More formally, Kopchik said this is the proviso bankers should be hewing to:

"Where single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other comparable controls reasonably calculated to mitigate the risks."

Kopchik told bankers this implies that:

* They should realize that, overall, they are expected to "step it up a notch" in online security. They are obligated, if they provide an online delivery channel to customers, to make it a secure one.

* They should understand that the regulators consider the timeline established to be "aggressive, but reasonable."

* Examiners will review compliance efforts on a case-by-case basis.

Bankers' Top Ten questions

Kopchik then presented answers to the ten questions the agencies have been receiving most frequently from the industry:

10 Is there an approved list of solutions? …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.