Page 1 of 3 1 2 3
Thread Options
#1571073 - 06/28/11 09:36 PM FFIEC Authentication Guidance
AFaquir Offline
Platinum Poster
AFaquir
Joined: Jan 2011
Posts: 763
Top of the world... and never ...
Hooray its finally here... and we thought DFA was tough... at least we know about "banking."

Most of us don't know enough about Technology to pull this off! Good luck everybody!

FFIEC Final Authentication Guidance
_________________________
In life, there is a lot less that could get better and a lot more that could get worse.

MBA Fin/MBS HR

My views only!

Return to Top
eBanking / Technology
#1571265 - 06/29/11 01:34 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
DEL Offline
Platinum Poster
Joined: Oct 2002
Posts: 726
Maine
I've just been reading through this- it looks very similar to the required SCI program at this point - assess the risk, show why the "layers" you have chosen address these risks. It seems like our need for the technology and non-technology areas of the bank to work together is increasing.

Return to Top
#1572156 - 06/30/11 02:37 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
On Friday, July 8th, beginning at 11:00am CDT, CoNetrix and the Michigan Bankers Association (MBA) are sponsoring a Free webinar reviewing the FFIEC Supplemental Guidance on Internet Banking Authentication. You can register by going directly to FFIEC Supplemental Guidance on Internet Banking Authentication webinar
_________________________
Russ Horn, CISA, CISSP, CRISC
CoNetrix
rhorn@conetrix.com

Return to Top
#1575324 - 07/07/11 10:24 PM Re: FFIEC Authentication Guidance [Re: Russ Horn]
Lele Offline
Platinum Poster
Lele
Joined: Feb 2007
Posts: 817
In the Sun
The Guidance mentions having a more active consumer awareness & education efforts. We were thinking about having a brochure. Does anyone have one to use as a sample that they are willing to share?
_________________________
Faith is seeing light with your heart when all your eyes see is darkness...

Return to Top
#1579467 - 07/18/11 07:33 PM Re: FFIEC Authentication Guidance [Re: Lele]
VMdude Offline
New Poster
Joined: Mar 2009
Posts: 7
In order to add additional layers of security I have reviewed Trusteer's Rapport, Guardian Analytics, IronKey, my Internet banking vendor's token based solution for buisness banking. What are some other solutions out there that community bankers are considering for consumer Internet banking as well as business Internet banking?
_________________________
"Only a dead fish goes with the flow."

Return to Top
#1579500 - 07/18/11 08:07 PM Re: FFIEC Authentication Guidance [Re: VMdude]
danyielg Offline
Gold Star
danyielg
Joined: Jun 2007
Posts: 367
OK
i just posted a similiar question. lol
Can you imagine how many times were gonna have to explain how to use a token? and then to replace them each time they get lost?
at our expense? Oh, and as I'm typing this I get a package from our correspondent bank with new tokens for me because there was a cyber attack on the company that provides our tokens. WOW!
So then who pays for them when that happens to us and we have to reissue everyone of our customer's tokens?

Return to Top
#1579509 - 07/18/11 08:11 PM Re: FFIEC Authentication Guidance [Re: danyielg]
Andy_Z Online
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
I have not been through the guidance yet. ARe you not able to pass along the cost of replacement tokens as many banks do debit cards?
Last edited by Andy Z; 07/18/11 08:12 PM.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#1580030 - 07/19/11 07:49 PM Re: FFIEC Authentication Guidance [Re: Andy_Z]
BSAguy Offline
Gold Star
Joined: Aug 2007
Posts: 261
Kansas
The thing I find odd is that the OCC has yet to publish anything on this FFIEC guidance while the FDIC put out a FIL over a week ago.

Return to Top
#1580044 - 07/19/11 08:01 PM Re: FFIEC Authentication Guidance [Re: BSAguy]
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
I believe the OCC released a Bulletin (OCC 2011-26) titled Authenitication in an Internet Banking Environment on June 28, 2011 - basically it is just a statement about the Supplement from the FFIEC with the Supplement attached - see below:

OCC Bulletin 2011-26
_________________________
Russ Horn, CISA, CISSP, CRISC
CoNetrix
rhorn@conetrix.com

Return to Top
#1580535 - 07/20/11 06:20 PM Re: FFIEC Authentication Guidance [Re: Russ Horn]
MidwestCFE Offline
Platinum Poster
MidwestCFE
Joined: Jan 2003
Posts: 514
wish it was the Smoky Mountain...
I came from a bank that used tokens, now I'm at a bank that opted for OOB. Each come with their own pro's/con's, some we didn't expect on either side.No perfect system-all can be bypassed, so you really have to decide what you're willing to pay for, and what amount of headache & pushback you can tolerate from customers..lesser of the evils ??
We created a "Customer best Practices for online banking", and that's what we use as one tool in customer education. We still need to revise it for our current online banking system, but we are also creating a personal one.
_________________________
My opinions...you get what you paid for..


Return to Top
#1581803 - 07/22/11 04:12 PM Re: FFIEC Authentication Guidance [Re: MidwestCFE]
VMdude Offline
New Poster
Joined: Mar 2009
Posts: 7
Andy, what bank are you doing business with? Your bank is passing along a debit card replacement fee?? We had to do away with that fee over 8 years ago in order to compete in our market area. I doubt that my community bank could pass on more than $3 of the replacement cost of a token device. If our business customers complain, we are told to refund the fee, so it's easier just to "no charge" them to begin with. Same thing with the Cash Management set-up fee; 95% of them are waived because the customer complains about the $35 one-time charge.

More specifically to the FFIEC questions, my Internet banking vendor is pushing One-Time-Passcodes. Ugh!!! As a customer of a competing bank that uses that method, I hate having to get a phone call or a text message to login. As a banker, I am certainly hoping for an alternative solution.
_________________________
"Only a dead fish goes with the flow."

Return to Top
#1582120 - 07/22/11 08:03 PM Re: FFIEC Authentication Guidance [Re: VMdude]
AFaquir Offline
Platinum Poster
AFaquir
Joined: Jan 2011
Posts: 763
Top of the world... and never ...
I just read an article... Password Strength which highlights that while most users are MO-rons when it comes to password strength and security... the fact we, and our service providers, allow them to be is the problem.

A previous poster is right, all systems have flaws, and customer inconvenience is a big concern... but we can and should do better with our user policies. I mean internally to our bank I have like a dozen logins of all varying lengths of all varying change cycles, its confusing, but if we didn't we would be killed by our regulators... We should expect similar from our customers, and if they want to be silly and use simple ones or write them down for the world to see, that really becomes their problem... not ours. The more we fight it, the more we will end up in bad shape as breaches occur. Just my opinion though...
_________________________
In life, there is a lot less that could get better and a lot more that could get worse.

MBA Fin/MBS HR

My views only!

Return to Top
#1587160 - 08/03/11 07:31 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
Bobw Offline
Gold Star
Bobw
Joined: Nov 2006
Posts: 336
New England
Does anyone have a risk assessment template they used that they are willing to share? I would like to update mine, and was wondering what others might look like?

Thanks if you can assist
_________________________
just my opinion, based on my 30+ years

GO RED SOX!!!

Return to Top
#1587166 - 08/03/11 07:44 PM Re: FFIEC Authentication Guidance [Re: Bobw]
Double U Offline
100 Club
Double U
Joined: Jul 2008
Posts: 219
BBN
I have one that I obtained through another source. Of course, the one I have may need to be tweeked a little with to meet some of the new authentication guidance. I would be willing to share if you are interested.

Return to Top
#1587171 - 08/03/11 07:43 PM Re: FFIEC Authentication Guidance [Re: Double U]
Bobw Offline
Gold Star
Bobw
Joined: Nov 2006
Posts: 336
New England
that would be great, thx
_________________________
just my opinion, based on my 30+ years

GO RED SOX!!!

Return to Top
#1587186 - 08/03/11 08:04 PM Re: FFIEC Authentication Guidance [Re: Double U]
Baseball2013 Offline
Member
Baseball2013
Joined: Sep 2006
Posts: 70
We're looking at one-time passwords via text, email or phone call, as that's what our vendor is offering as one of its FFIEC compliant alternatives.

We're not comfortable with the process or cost of issuing (and re-issuing) tokens, and the management of that process. Knowing how many of our customers lose their ATM cards - and how often, it doesn't seem to make sense to go in that direction (and we also charge customers for replacement cards).

We're also looking at implementing a solution which helps prevent against malware which our end-users may have unknowingly been installed on their computers or in their browsers, as well as man-in-the-middle and man-in-the-browser attacks, which the supplement addresses in greater detail in its appendix.

Return to Top
#1587260 - 08/03/11 09:16 PM Re: FFIEC Authentication Guidance [Re: Baseball2013]
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
Promotion of webinars and conferences must be approved by management and for vendors, through Tobi, Tobi@bankersonline.com.

Next Thursday, Aug. 3rd, we have a free webinar over the FFIEC Supplemental Guidance on Internet Banking Authentication. You can register by going to http://www.conetrix.com/Webinars.aspx]FFIEC Supplemental Guidance on Internet Banking authentication webinar or directly to ww2.gotomeeting.com/register/824743394 Register here

Thanks,
Russ
Last edited by Andy Z; 08/07/11 11:34 PM.
_________________________
Russ Horn, CISA, CISSP, CRISC
CoNetrix
rhorn@conetrix.com

Return to Top
#1587560 - 08/04/11 03:43 PM Re: FFIEC Authentication Guidance [Re: Russ Horn]
Al Miller Offline
Diamond Poster
Al Miller
Joined: Oct 2000
Posts: 2,416
Pleasanton CA USA
Russ, you must use a special calendar. grin

By my calendar, next Thursday is the 11th, and i'll be on the line.


Al
_________________________
Al Miller, CRCM
Opinions expressed are my own and not necessarily shared by my employer.

Return to Top
#1587675 - 08/04/11 05:42 PM Re: FFIEC Authentication Guidance [Re: Al Miller]
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
Al, you are right... my bad... Thursday, the 11th blush
_________________________
Russ Horn, CISA, CISSP, CRISC
CoNetrix
rhorn@conetrix.com

Return to Top
#1587732 - 08/04/11 06:38 PM Re: FFIEC Authentication Guidance [Re: VMdude]
MidwestCFE Offline
Platinum Poster
MidwestCFE
Joined: Jan 2003
Posts: 514
wish it was the Smoky Mountain...
Originally Posted By: atmdude
In order to add additional layers of security I have reviewed Trusteer's Rapport, Guardian Analytics, IronKey, my Internet banking vendor's token based solution for buisness banking. What are some other solutions out there that community bankers are considering for consumer Internet banking as well as business Internet banking?

We use Guardian for personal & business. There are 2 kinds, one does logins only and the full integration will monitor amounts,etc.
We also use OOB isntead of tokens-seemed much better option. Both have pros/cons.
_________________________
My opinions...you get what you paid for..


Return to Top
#1587733 - 08/04/11 06:41 PM Re: FFIEC Authentication Guidance [Re: Baseball2013]
MidwestCFE Offline
Platinum Poster
MidwestCFE
Joined: Jan 2003
Posts: 514
wish it was the Smoky Mountain...
Originally Posted By: Baseball2011
We're looking at one-time passwords via text, email or phone call, as that's what our vendor is offering as one of its FFIEC compliant alternatives.

We're not comfortable with the process or cost of issuing (and re-issuing) tokens, and the management of that process. Knowing how many of our customers lose their ATM cards - and how often, it doesn't seem to make sense to go in that direction (and we also charge customers for replacement cards).

We're also looking at implementing a solution which helps prevent against malware which our end-users may have unknowingly been installed on their computers or in their browsers, as well as man-in-the-middle and man-in-the-browser attacks, which the supplement addresses in greater detail in its appendix.


I would NOT go with email for your OOB passwords. Hard lesson learned..when the hackers get into victim computer, they are often getting their emails too.so sending the secure access code to email it will be obtained by the hacker...speaking from experience.
_________________________
My opinions...you get what you paid for..


Return to Top
#1595802 - 08/24/11 04:13 PM Re: FFIEC Authentication Guidance [Re: MidwestCFE]
Baseball2013 Offline
Member
Baseball2013
Joined: Sep 2006
Posts: 70
We've also looked into PhoneFactor, Entrust, Trusteer, SilverTail Systems and ThreatMetrix as other options - and are still evaluating.

Return to Top
#1596412 - 08/25/11 03:08 PM Re: FFIEC Authentication Guidance [Re: Baseball2013]
VMdude Offline
New Poster
Joined: Mar 2009
Posts: 7
Thanks for listing the vendors that you are evaluating. There is a couple there that I have not reviewed. Next week I will be evaluating IDology. I stumbled across them in my research. I am looking for something effective, yet as unobtrusive as possible. That is probably just a dream.
_________________________
"Only a dead fish goes with the flow."

Return to Top
#1609425 - 09/27/11 06:08 PM Re: FFIEC Authentication Guidance [Re: VMdude]
ndbanker Offline
Member
Joined: Jan 2006
Posts: 68
We have work to do regarding the customer education requirements of the supplemental guidance. Has anyone partnered with a vendor to provide the content for educating customers? If so, can you share the vendor name and whether you have been satisifed?

Return to Top
#1610175 - 09/28/11 07:38 PM Re: FFIEC Authentication Guidance [Re: ndbanker]
Andy_Z Online
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
Just throwing out that discussions about vendors needs to be in the Private forums. What is here, listings, is fine, but critiques are different, if you take it to that level.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#1619414 - 10/25/11 01:36 AM Re: FFIEC Authentication Guidance [Re: Double U]
Renee L. Offline
New Poster
Renee L.
Joined: Aug 2009
Posts: 19
Double U, I would love to have a copy, if you'd care to share. Just don't know exactly where to start. (And by the way, Go CATS! Love your avatar.)
Last edited by Renee L.; 10/25/11 01:40 AM.
Return to Top
#1624767 - 11/04/11 07:34 PM Re: FFIEC Authentication Guidance [Re: Renee L.]
New Manager Offline
100 Club
Joined: Jan 2004
Posts: 133
Does anyone have a risk assessment template they would be willing to share? I am having a difficult time finding something. I'd rather not go the route of a narrative, but will if necessary. Thanks.

Return to Top
#1625016 - 11/07/11 03:35 PM Re: FFIEC Authentication Guidance [Re: New Manager]
mattm Offline
New Poster
Joined: Nov 2011
Posts: 5
Does anyone have a risk assessment and customer education letter template you would be willing to share?

THanks!!

Return to Top
#1625180 - 11/07/11 06:51 PM Re: FFIEC Authentication Guidance [Re: mattm]
Beachbum, CRCM Offline
Gold Star
Joined: Dec 2006
Posts: 479
Knee Deep in Regs
echoing mfbmatt's request for a customer education letter template to use as a starting point. smile
_________________________
What we think, we become.
Buddha

Return to Top
#1626271 - 11/09/11 02:52 PM Re: FFIEC Authentication Guidance [Re: Beachbum, CRCM]
Cornfed Turtle Offline
Diamond Poster
Joined: Mar 2006
Posts: 1,322
"...Somewhere in Middle Americ...
What are your plans for the customer education piece? A competitor of ours says they are contracting with a vendor to deliver a newsletter periodically. I don't have any more details. Are you mailing? Posting on website? Taking the newsletter approach?

Return to Top
#1629889 - 11/17/11 07:51 PM Re: FFIEC Authentication Guidance [Re: Cornfed Turtle]
EmilyAnn Offline
Gold Star
Joined: Jul 2007
Posts: 273
The San Francisco FRB webinar "Responding to the Cyber Threat: Interagency Supplement to Authentication in an Internet Banking Environment" conducted today (11/17/11) is worth listening to.

http://www.frbsf.org/banking/events/

Return to Top
#1630002 - 11/17/11 10:10 PM Re: FFIEC Authentication Guidance [Re: EmilyAnn]
AnnR Offline
New Poster
Joined: Jun 2011
Posts: 7
Winfield, KS
I also am looking for a risk assessment template from anyone willing to share. Thank you!

Return to Top
#1631677 - 11/22/11 09:35 PM Re: FFIEC Authentication Guidance [Re: AnnR]
complylady Offline
Platinum Poster
complylady
Joined: Jul 2002
Posts: 614
Michigan
Bumping this back to the top. Has anyone created an Internet Banking Authentification notification form/letter for customers yet? And what are you putting on your bank website for customer information? Thanks.

Return to Top
#1631708 - 11/22/11 10:02 PM Re: FFIEC Authentication Guidance [Re: complylady]
Matt_B Offline
Diamond Poster
Matt_B
Joined: Sep 2011
Posts: 1,648
A CU, Where Regs Don't Apply
I'm having trouble finding anything specific on this one way or another. Does it state anywhere when it is required to send out the customer education piece?
We have a basic idea of what we want to say, and can put it on the back of one of our monthly newsletters, but January's is already occupied with privacy info and we'd rather not have a second sheet, so they'd like to wait until February to send this out if possible. Any ideas?
_________________________
Someone's about to get horned!

Return to Top
#1634126 - 12/01/11 03:47 PM Re: FFIEC Authentication Guidance [Re: Matt_B]
WHAT ?!?! Offline
Member
WHAT ?!?!
Joined: Dec 2006
Posts: 67
I was curious to know how many banks have completed this or is everyone still figuring out what additional controls they are going to use and how to communicate all of this information to their customers.

Return to Top
#1634219 - 12/01/11 05:16 PM Re: FFIEC Authentication Guidance [Re: WHAT ?!?!]
califgirl Offline
Diamond Poster
califgirl
Joined: Mar 2002
Posts: 2,355
The O.C., California
In relation to customer education, this site was recommended on another banking board. I'm thinking of linking it from our bank website.
http://onguardonline.gov/
_________________________
I can explain it to you. I can't understand it for you.

Return to Top
#1634340 - 12/01/11 07:16 PM Re: FFIEC Authentication Guidance [Re: califgirl]
'Lil Freak! Offline
10K Club
'Lil Freak!
Joined: Sep 2005
Posts: 10,595
The psych ward
We're doing the same as califgirl.
_________________________
No, I didn't lose my mind. It got scared and ran away.

Return to Top
#1634880 - 12/02/11 07:07 PM Re: FFIEC Authentication Guidance [Re: 'Lil Freak!]
banker1975 Offline
New Poster
Joined: Nov 2011
Posts: 5
Will FDIC approve this as "customer education" if the link is the only thing that is provided?

Return to Top
#1635635 - 12/06/11 12:34 AM Re: FFIEC Authentication Guidance [Re: banker1975]
mmumm Offline
100 Club
Joined: Jul 2008
Posts: 163
Santa Cruz, California
We are looking into brochures by Bankstuffers, ABA and the FDIC also has a short video which they encourage to post on our website.

However, I think we'll need to supplement with a notice of our own, as the brochures dont contain bank-specific info about the Reg E protections provided, under what circumstances we would contact our customers to request their e-banking credentials, or a list of the bank's contacts for reporting info-security related events...

Return to Top
#1639363 - 12/15/11 03:17 PM Re: FFIEC Authentication Guidance [Re: EmilyAnn]
QCL Offline

Power Poster
QCL
Joined: May 2002
Posts: 6,255
NW IL
Originally Posted By: EmilyAnn
The San Francisco FRB webinar "Responding to the Cyber Threat: Interagency Supplement to Authentication in an Internet Banking Environment" conducted today (11/17/11) is worth listening to.

http://www.frbsf.org/banking/events/


Did anyone else listen to this?

If you have not listened to it - a word of warning - there are 2 clowns from the Fed in the background that are whispering the entire hour.
_________________________

Return to Top
#1641099 - 12/20/11 05:44 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
Tigg Offline
Power Poster
Tigg
Joined: Jan 2008
Posts: 6,389
Looking for My Happy Place....
The consumer education piece seems to be fairly easy to fulfill with free brochures, educational materials available at the FTC and the onlineonguard.gov websites.

Can anyone share how they are planning to educate their commercial customers and where you are finding any resources? Everything I've seen is geared toward consumers and kids.

Thanks.
_________________________
What would you do if you knew you could not fail? ~ Dr. R Schuller

My opinion only.

Return to Top
#1641932 - 12/21/11 07:15 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
LA LA Offline
Junior Member
Joined: Nov 2008
Posts: 38
I agree Tigg. I am having a hard time coming up with something for business customers.

I found where there's been a referral to this site where businesses can find cyber security resources at http://www.us-cert.gov/. However, I can't seem to find any literature for distribution.

If someone has something, please let me know. Thanks.

Return to Top
#1642328 - 12/22/11 04:07 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
BSARocksagain Offline
Member
BSARocksagain
Joined: May 2010
Posts: 67
Maryland
Did anyone write a low-tech controls memo to bridge over until automated controls are in place or did you incorporate this into your Information Security Policy?

Return to Top
#1643526 - 12/27/11 09:41 PM Re: FFIEC Authentication Guidance [Re: BSARocksagain]
sammylou Offline
100 Club
Joined: May 2001
Posts: 184
the tundra
We found a pretty good article that we intend to start with from a business education perspective. We will provide it to all existing business online banking customers and then new ones at the point of registration.

http://www.fsisac.com/files/public/db/p265.pdf

Seems very comprehensive and written in language most can understand.
_________________________
The views expressed are not necessarily those of my employer.

Return to Top
#1645094 - 12/30/11 10:23 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
Compl101TX Offline
Gold Star
Compl101TX
Joined: Aug 2010
Posts: 378
W. TX
How can we comply with this part of the guidance on customer education?

-An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access.

Any suggestion will be greatly appreciated!
_________________________
My opinion only.
AVP-Compliance

Return to Top
#1646488 - 01/05/12 04:28 PM Re: FFIEC Authentication Guidance [Re: Double U]
JamesH Offline
Member
Joined: Jun 2008
Posts: 50
Would you be willing to share the risk assessment with me too. I'm having trouble developing ours too.

James

Return to Top
#1646538 - 01/05/12 05:18 PM Re: FFIEC Authentication Guidance [Re: Compl101TX]
VMack Offline
Platinum Poster
Joined: Jun 2001
Posts: 833
Texas
Originally Posted By: E F B
How can we comply with this part of the guidance on customer education?

-An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access.

Any suggestion will be greatly appreciated!


I am at a loss as to how to incorporate language to meet this requirement into our customer education material. I know that the intent is to let our commercial customers know that "hey, Reg. E protections will not apply!" Has anyone had any thoughts about what this will look like in print? Thanks.
_________________________
VMACK
CRCM

“The wise know their limitations; the foolish do not.”
Benjamin Hoff, The Tao of Pooh

Return to Top
#1656256 - 01/26/12 02:47 PM Re: FFIEC Authentication Guidance [Re: califgirl]
Midnight Offline
Member
Midnight
Joined: Jun 2008
Posts: 69
Upper Mid West
Looks like onguardonline.gov has been hacked... See news link below.

http://www.pcadvisor.co.uk/news/security/3332466/us-government-online-security-website-hacked/

Return to Top
#1658437 - 01/31/12 05:48 PM Re: FFIEC Authentication Guidance [Re: ndbanker]
VMdude Offline
New Poster
Joined: Mar 2009
Posts: 7
I have just been told by an assoicate that Gladiator Technologies offers a 15 minute training video that can be customized with the bank's logo that addresses all the areas of constomer awareness. Some banks are using making the video mandatory for all new buisness banking clients that have ACH and wire TRF capability. Apparently there is a dashboard that provides execellent reporting for examiners. It might be worth a look.
_________________________
"Only a dead fish goes with the flow."

Return to Top
#1664521 - 02/13/12 11:58 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
dg Offline
Platinum Poster
Joined: Jan 2005
Posts: 811
Pacific NW
Has anyone added any of this guidance or referred to it, into their BSA Policy or Program?

Return to Top
#1721380 - 07/18/12 09:20 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
DD Regs Offline
Power Poster
DD Regs
Joined: Nov 2008
Posts: 4,132
Somewhere in the middle
We use OOB method. If a client states they can't use OOB, would we be able to have them sign a waiver stating they hold us blameless if their system is compromised?
_________________________
I'm only responsible for what I say, not for what you understand.

Return to Top
#1722155 - 07/22/12 11:17 AM Re: FFIEC Authentication Guidance [Re: AFaquir]
rlcarey Offline
10K Club
rlcarey
Joined: Jul 2001
Posts: 74,437
Galveston, TX
Knowingly providing services in less than what is believed to be a secure environment would probably be a little hard to defend regardless of any such hold harmless agreement. That customer is either able to comply or cannot use the services is the only logical approach.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1724628 - 07/27/12 11:19 PM Re: FFIEC Authentication Guidance [Re: DD Regs]
Andy_Z Online
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
Originally Posted By: DD Regs
If a client states they can't use OOB, would we be able to have them sign a waiver stating they hold us blameless if their system is compromised?


Read the PATCO decision or tune into this webinar. http://calendar.bollearningconnect.com/main.php?view=event&eventid=1341926976105

Banks are losing these suits as there are disputes over which system was compromised, was security adequate and now, was it reasonable.

A waiver isn't reasonable.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
Page 1 of 3 1 2 3

Moderated by:  Andy_Z