New FFIEC Guidance on Strong Authentication

1. New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006

2. Agenda • Background on new guidance • Summary • Key Points • What does this mean to the financial services industry • FAQs

3. Background • FFIEC guidance entitled: “Authentication in an Internet Banking Environment” • Updates & replaces 2001 guidance • Published October 12, 2005; compliance expected by year-end 2006 • Issued by FFIEC • Agencies intended to be proactive, not reactive • FDIC FIL-103-2005

4. Background • Work on this project began over 1 year ago: • FDIC ID Theft Study (12/04) • FFIEC Symposium on authentication (3/05) • FDIC ID Theft Study Supplement (6/05) • FDIC ID theft symposiums • Time was right for guidance: • Customer concerns are negatively affecting growth of online banking and commerce • Technologies are maturing, becoming more effective, easier to use and more affordable

5. Summary • Regulators expect financial institutions to use stronger methods to authenticate the identity of customers using Internet-based products and services • Regulators expect FIs to perform a risk assessment to determine effective authentication strategies according to the risks associated with the products and services they offer online

6. Key Points • Agencies consider single-factor authentication (i.e., password), as the only control mechanism, to be inadequate for high-risk transactions • High-risk transactions involve movement of funds to other parties (even within FI) or access to customer information

7. The Key Point! Where single-factor authentication is inadequate, FIs should implement multifactor authentication, layered security, or other comparable controls reasonably calculated to mitigate the risks

8. What Does This Mean to the Industry • Regulators expect financial institutions to “step it up a notch” in terms of online security • FIs have an obligation to secure a delivery channel they built and have made available to consumers • Time-frame for compliance is aggressive, but reasonable • Examiners will review compliance efforts on a case-by-case basis

9. What Does This Mean to the Industry • Guidance is flexible; does not mandate a specific technology solution • Regulators expect new technologies to continue to be introduced • Special considerations for FIs affected by recent hurricanes

10. Frequently Asked Questions • Is there an “approved” list of solutions? • Is the Appendix an exclusive list of solutions? • Is it acceptable for an FI to just complete its risk assessment by year-end 2006? • Do the regulators expect FIs to run out and buy hardware tokens for all their customers? • Is there a template for the risk assessment? • Are agencies considering additional guidance in this area?

11. Frequently Asked Questions • Can FI do a risk assessment & decide that stronger authentication is unnecessary even though the system permits high-risk transactions? • Can FI rely on its service provider’s risk assessment? • Can FI permit customers to opt-out of the stronger authentication? • Does the guidance cover telephone banking?

12. Thank You • Jeffrey M. Kopchik • Senior Policy Analyst • Division of Supervision and Consumer Protection, Technology Supervision Branch • Washington, DC