Ware, Viveca, Independent Banker
Complying with authentication guidance mandates
Financial institutions of all sizes and charter types have roughly 60 days to comply with the guidance governing authentication requirements for Internet-based financial services. The October 2005 guidance, "Authentication in an Internet Banking Environment," was a surprise to many given the absence of a formal industry comment period.
Initially, the Federal Financial Institutions Examination Council (FFIEC) guidance was portrayed as mandating two-factor authentication. In fact, it does not specifically require banks to institute two-factor or multi-factor authenticat ion, nor does it prescribe a particular technology, but rather focuses on risk management.
The guidance does require banks to perform a risk-based assessment of security measures consumer and commercial customers use to access Internet banking and electronic banking applications, including telephone banking systems and call centers. It does not apply to debit or credit cards.
In addition to performing a risk assessment, banks must employ technologies (other than singlefactor authentication) to further protect high-risk transactions involving access to customer information or the movement of funds to other parties. Acceptable technologies include multi-factor authentication, layered security or other controls.
A number of factors, including the availability and customer acceptance of Internet/electronic banking applications; growing concerns regarding online banking transaction security given the rise in data breaches, phishing, pharming and malware; and technological advances propelled the FFIEC's decision to issue the guidance. "The regulators expect financial institutions to 'step it up a notch' in terms of online security," according to Michael L. Jackson, associate director of the FDIC's division of supervision and consumer protection, technology supervision branch. "Moreover, providing a safe online banking channel is consistent with banks' traditional role as trusted intermediaries and stewards of customers' financial information and assets."
The risk assessment process cannot be circumvented even if banks and their customers have not experienced fraud or identity theft involving Internet or electronic banking systems. And banks cannot forgo the risk assessment process and proceed to implement multi-factor authentication, layered security or other controls.
Fortunately or unfortunately, there is no template for the required risk assessments. The risk assessment should consider the risks of phishing, pharming, malware, reputation risk, customer harm, transaction risk and any other identified threats. The "Small Entity Compliance Guide for the Interagency Guidelines Establishing Information Security Standards" and the "FFIEC IT Exa mination Handbook, Information Security Booklet" contains general information on risk assessments. The risk assessment process, findings and remediation solutions should be documented.
Banks cannot outsource risk management responsibilities. Client banks of third-party solution providers are still responsible for ensuring that their vendor's process is documented and accurate, and that the solutions are appropriate for the bank and its customers.
Risk assessments must be updated any time there are changes in technology or information systems, the sensitivity of customer information, threats, or business arrangements. …