1 / 12

New FFIEC Guidance on Strong Authentication

New FFIEC Guidance on Strong Authentication. ABA Webcast January 11, 2006. Agenda. Background on new guidance Summary Key Points What does this mean to the financial services industry FAQs. Background. FFIEC guidance entitled: “ Authentication in an Internet Banking Environment”

norris
Download Presentation

New FFIEC Guidance on Strong Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006

  2. Agenda • Background on new guidance • Summary • Key Points • What does this mean to the financial services industry • FAQs

  3. Background • FFIEC guidance entitled: “Authentication in an Internet Banking Environment” • Updates & replaces 2001 guidance • Published October 12, 2005; compliance expected by year-end 2006 • Issued by FFIEC • Agencies intended to be proactive, not reactive • FDIC FIL-103-2005

  4. Background • Work on this project began over 1 year ago: • FDIC ID Theft Study (12/04) • FFIEC Symposium on authentication (3/05) • FDIC ID Theft Study Supplement (6/05) • FDIC ID theft symposiums • Time was right for guidance: • Customer concerns are negatively affecting growth of online banking and commerce • Technologies are maturing, becoming more effective, easier to use and more affordable

  5. Summary • Regulators expect financial institutions to use stronger methods to authenticate the identity of customers using Internet-based products and services • Regulators expect FIs to perform a risk assessment to determine effective authentication strategies according to the risks associated with the products and services they offer online

  6. Key Points • Agencies consider single-factor authentication (i.e., password), as the only control mechanism, to be inadequate for high-risk transactions • High-risk transactions involve movement of funds to other parties (even within FI) or access to customer information

  7. The Key Point! Where single-factor authentication is inadequate, FIs should implement multifactor authentication, layered security, or other comparable controls reasonably calculated to mitigate the risks

  8. What Does This Mean to the Industry • Regulators expect financial institutions to “step it up a notch” in terms of online security • FIs have an obligation to secure a delivery channel they built and have made available to consumers • Time-frame for compliance is aggressive, but reasonable • Examiners will review compliance efforts on a case-by-case basis

  9. What Does This Mean to the Industry • Guidance is flexible; does not mandate a specific technology solution • Regulators expect new technologies to continue to be introduced • Special considerations for FIs affected by recent hurricanes

  10. Frequently Asked Questions • Is there an “approved” list of solutions? • Is the Appendix an exclusive list of solutions? • Is it acceptable for an FI to just complete its risk assessment by year-end 2006? • Do the regulators expect FIs to run out and buy hardware tokens for all their customers? • Is there a template for the risk assessment? • Are agencies considering additional guidance in this area?

  11. Frequently Asked Questions • Can FI do a risk assessment & decide that stronger authentication is unnecessary even though the system permits high-risk transactions? • Can FI rely on its service provider’s risk assessment? • Can FI permit customers to opt-out of the stronger authentication? • Does the guidance cover telephone banking?

  12. Thank You • Jeffrey M. Kopchik • Senior Policy Analyst • Division of Supervision and Consumer Protection, Technology Supervision Branch • Washington, DC

More Related