new ffiec guidance on strong authentication
DESCRIPTION
New FFIEC Guidance on Strong Authentication. ABA Webcast January 11, 2006. Agenda. Background on new guidance Summary Key Points What does this mean to the financial services industry FAQs. Background. FFIEC guidance entitled: “ Authentication in an Internet Banking Environment” - PowerPoint PPT PresentationTRANSCRIPT
Technology Supervision Branch
New FFIEC Guidance on Strong Authentication
ABA WebcastJanuary 11, 2006
Technology Supervision Branch
Agenda
• Background on new guidance• Summary• Key Points• What does this mean to the financial
services industry• FAQs
Technology Supervision Branch
Background
• FFIEC guidance entitled: “Authentication in an Internet Banking Environment”
• Updates & replaces 2001 guidance• Published October 12, 2005;
compliance expected by year-end 2006• Issued by FFIEC• Agencies intended to be proactive, not
reactive• FDIC FIL-103-2005
Technology Supervision Branch
Background
• Work on this project began over 1 year ago:– FDIC ID Theft Study (12/04)– FFIEC Symposium on authentication (3/05)– FDIC ID Theft Study Supplement (6/05)– FDIC ID theft symposiums
• Time was right for guidance:– Customer concerns are negatively affecting
growth of online banking and commerce– Technologies are maturing, becoming more
effective, easier to use and more affordable
Technology Supervision Branch
Summary
• Regulators expect financial institutions to use stronger methods to authenticate the identity of customers using Internet-based products and services
• Regulators expect FIs to perform a risk assessment to determine effective authentication strategies according to the risks associated with the products and services they offer online
Technology Supervision Branch
Key Points
• Agencies consider single-factor authentication (i.e., password), as the only control mechanism, to be inadequate for high-risk transactions
• High-risk transactions involve movement of funds to other parties (even within FI) or access to customer information
Technology Supervision Branch
The Key Point!
Where single-factor authentication is inadequate, FIs should implement multifactor authentication, layered security, or other comparable controls reasonably calculated to mitigate the risks
Technology Supervision Branch
What Does This Mean to the Industry
• Regulators expect financial institutions to “step it up a notch” in terms of online security
• FIs have an obligation to secure a delivery channel they built and have made available to consumers
• Time-frame for compliance is aggressive, but reasonable
• Examiners will review compliance efforts on a case-by-case basis
Technology Supervision Branch
What Does This Mean to the Industry
• Guidance is flexible; does not mandate a specific technology solution
• Regulators expect new technologies to continue to be introduced
• Special considerations for FIs affected by recent hurricanes
Technology Supervision Branch
Frequently Asked Questions
• Is there an “approved” list of solutions?• Is the Appendix an exclusive list of solutions?• Is it acceptable for an FI to just complete its
risk assessment by year-end 2006?• Do the regulators expect FIs to run out and
buy hardware tokens for all their customers?• Is there a template for the risk assessment?• Are agencies considering additional guidance
in this area?
Technology Supervision Branch
Frequently Asked Questions
• Can FI do a risk assessment & decide that stronger authentication is unnecessary even though the system permits high-risk transactions?
• Can FI rely on its service provider’s risk assessment?
• Can FI permit customers to opt-out of the stronger authentication?
• Does the guidance cover telephone banking?
Technology Supervision Branch
Thank You
• Jeffrey M. Kopchik– Senior Policy Analyst– Division of Supervision and
Consumer Protection, Technology Supervision Branch
– Washington, DC