new ffiec guidance on strong authentication

Technology Supervision Branch

New FFIEC Guidance on Strong Authentication

ABA WebcastJanuary 11, 2006

Technology Supervision Branch

Agenda

• Background on new guidance• Summary• Key Points• What does this mean to the financial

services industry• FAQs

Technology Supervision Branch

Background

• FFIEC guidance entitled: “Authentication in an Internet Banking Environment”

• Updates & replaces 2001 guidance• Published October 12, 2005;

compliance expected by year-end 2006• Issued by FFIEC• Agencies intended to be proactive, not

reactive• FDIC FIL-103-2005

Technology Supervision Branch

Background

• Work on this project began over 1 year ago:– FDIC ID Theft Study (12/04)– FFIEC Symposium on authentication (3/05)– FDIC ID Theft Study Supplement (6/05)– FDIC ID theft symposiums

• Time was right for guidance:– Customer concerns are negatively affecting

growth of online banking and commerce– Technologies are maturing, becoming more

effective, easier to use and more affordable

Technology Supervision Branch

Summary

• Regulators expect financial institutions to use stronger methods to authenticate the identity of customers using Internet-based products and services

• Regulators expect FIs to perform a risk assessment to determine effective authentication strategies according to the risks associated with the products and services they offer online

Technology Supervision Branch

Key Points

• Agencies consider single-factor authentication (i.e., password), as the only control mechanism, to be inadequate for high-risk transactions

• High-risk transactions involve movement of funds to other parties (even within FI) or access to customer information

Technology Supervision Branch

The Key Point!

Where single-factor authentication is inadequate, FIs should implement multifactor authentication, layered security, or other comparable controls reasonably calculated to mitigate the risks

Technology Supervision Branch

What Does This Mean to the Industry

• Regulators expect financial institutions to “step it up a notch” in terms of online security

• FIs have an obligation to secure a delivery channel they built and have made available to consumers

• Time-frame for compliance is aggressive, but reasonable

• Examiners will review compliance efforts on a case-by-case basis

Technology Supervision Branch

What Does This Mean to the Industry

• Guidance is flexible; does not mandate a specific technology solution

• Regulators expect new technologies to continue to be introduced

• Special considerations for FIs affected by recent hurricanes

Technology Supervision Branch

Frequently Asked Questions

• Is there an “approved” list of solutions?• Is the Appendix an exclusive list of solutions?• Is it acceptable for an FI to just complete its

risk assessment by year-end 2006?• Do the regulators expect FIs to run out and

buy hardware tokens for all their customers?• Is there a template for the risk assessment?• Are agencies considering additional guidance

in this area?

Technology Supervision Branch

Frequently Asked Questions

• Can FI do a risk assessment & decide that stronger authentication is unnecessary even though the system permits high-risk transactions?

• Can FI rely on its service provider’s risk assessment?

• Can FI permit customers to opt-out of the stronger authentication?

• Does the guidance cover telephone banking?

Technology Supervision Branch

Thank You

• Jeffrey M. Kopchik– Senior Policy Analyst– Division of Supervision and

Consumer Protection, Technology Supervision Branch

– Washington, DC