Has anyone completed their risk assessment for Internet Banking authentication? Would anyone have a martix for this that they would be willing to share? This is the first risk assessment I have been tasked with and I am having a hard time getting started. Thanks for the help.

So if no one has a matrix yet, when are you planning on doning your risk assesment and where do you plan on gettting the information to delevop your matix then? I have seen one source that recommened doing the risk assesment in January, examining products in the next six months, and choose a product and work on implementation the last six months of the year to meet the deadline. Any comments?

No one is worried about this?

I personnally don't really understand why a risk assessment is necessary (other than because the regulators say so, obviously), since the guidance has been pretty clear about what conditions will require you to have multi-factor authentication or not. My impression has been that if a customer can even *look* at his account on internet banking, without being able to do anything else, it's still considered a "high risk" account, and will require multi-factor authentication.

At least that's our standpoint, and I'd be interested to hear if any other bank came up with something different. Our customers are pretty limited in what they can do on our internet banking product. They can look at their statements, individual check images, and make transfers between accounts they have with us. If they've signed up for bill-payment, they can do that as well. That's it. No new accounts can be opened, no loan applications, no wire transfer requests, etc. I envision our risk assessment looking something like a grid that lists all the transactions that can be made on online banking on the left side, and the words "high risk" written next to every single one.

I realize I may sound a bit flippant about this whole thing, but honestly, it's pretty clear to me that the regulators want *all* banks, without exception, to go to a multi-factor method of authentication. Why make us jump through a hundred hoops with a "risk assessment"? Just put out a statement that says it will be required, end of story.

Some of us are waiting a bit longer for our online banking vendors to finalize their solution before making a final selection and purchase a technical solution or solutions.

You may want to re-read the Guidance for tips on where to start on your risk assessment. In summary, it says:

"The risk assessment process should:
• Identify all transactions and levels of access associated with Internet-based customer products and services;
• Identify and assess the risk mitigation techniques, including authentication methodologies,employed for each transaction type and level of access; and
• Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access."

Czargazer is right, we are looking at every communication vehicle via the web. So our risk assessment was not only concerned about the types of accounts, but also the amount of risk associated with all levels of on-line communication.

You may be able to get answers to many nagging questions, and just a plain old better understanding with this webinar on this precise topic. Multi-Factor Authentication Issues and Choices
Presented by Mary Beth Guard and Jeff Patterson. This is on 02-21-06.

I listened in today to the Chicago FDIC call on multi-factor authentication. Several good points were made. One was that many bankers are waiting on the vendor to provide the solution, and the banks haven't even done a risk assessment yet. They ask how you'll get answers to the problems, when you don't know what the problems are. They see early indicators that there is an over reliance on service providers. They also indicated that this process should include your telephone banking systems/VRUs.

I listened to that too. It sounds like they're expecting each bank to be able to defend each part of their risk assessment and have a comprehensive answer of why they chose what they chose at each level. If nothing else, a risk assessment seems like it will save headaches when your examiner asks. "So what risks did you feel were inherent in this activity, and how do you feel that these risks are addressed by the security that you have?" It also sounds like they're expecting a mix of both multi-factoring AND layered security.

I also got the impression that they were worried and non-plussed that many banks appear to simply be waiting to see what their vendors are offerring, or have skipped a risk assessment entirely and just decided what they need to do. They seemed to mention the former concern a few different times during the call in an attempt to stress that point.

My biggest concern is with the way cybercrime is evolving, by the time everything is in place, the crooks will just use their own layered techniques to counter everything short of (and possibly up to) a customer token card, so this won't really help resolve the issue that it's focused on. it will, however, eat up a lot of bank resources attempting to put a solution in place.

At face value it appears that the guidance addresses the consumer's use of Internet Banking. Should Business Customers also be included in not only the risk assessment but also in the final solution?

Didn't someone make an offer to send a form they had supposedly received from the OCC? Who was that?