Question: What are the requirements of the October 2005 FFIEC Guidance on, "Authentication in an Internet Banking Environment"?
Answer: The October 12, 2005 FFIEC Guidance, "Authentication in an Internet Banking Environment," when coupled with the August 15, 2006 "Frequently Asked Questions," provides fairly clear requirements for financial institutions. The main thrust of the guidance is that single factor authentication is no longer an acceptable means of identification of customers who bank via electronic means. Financial institutions must perform a transaction-based risk assessment, from the customer's viewpoint, determine which transactions are “high-risk,” and implement risk mitigation strategies by year-end 2006. "From the customer's viewpoint" is important because this requires that financial institutions look at risk from outside of the firewall. Risk assessments that are in place and currently mandated by the FFIEC IT Handbook are internally facing -- this risk assessment is different.
The August 15, 2006 FAQ's expanded the scope to absolutely include both retail and commercial customers, as well as applying, in principle, the same theory to telephone banking, call center and ATM delivery channels. Although the FAQ's indicate that financial institutions may rely on their vendors to supply a risk assessment, it strongly advises that the financial institution perform the appropriate due diligence to ensure that controls currently listed are in fact implemented, and that the risk assessment applies in its entirety.
To reiterate, the main requirements are: 1) perform a transaction-based risk assessment for online and other electronic delivery channels, 2) develop a mitigation strategy based on that risk assessment, 3) obtain Senior Management and Board approval of the risk assessment and mitigation strategy, 4) implement a customer awareness program, 5) incorporate the risk assessment into the current IT security program and, 6) implement the mitigation strategy -- all by year end 2006.
CC Pace Boilerplate
CC Pace is a financial services consulting firm whose clients include members of the Fortune 100, as well as industry entrants and mid-size firms. CC Pace provides the banking industry the information and services you need to stay competitive in your markets using the best and most secure risk management and mitigation technologies. For additional information please visit our website at www.ccpace.com, call us at 703-631-6600, or email us at info@ccpace.com.
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
