Skip to content
BOL Conferences
Thread Options
#604294 - 08/24/06 02:47 PM MFA Risk Assessment - From the examiner's mouth
Rubaiyat Offline
Diamond Poster
Joined: Jun 2001
Posts: 1,373
Lido Deck
I've had an examiner in the bank this week doing an IT exam and thought I would pass along what he said about MFA in general, as well as the infamous risk assessment.

First, I feel like I was ahead of the game in that I had my comprehensive risk assessment complete and submitted to the board, have narrowed down my choice of product we will probably use, have obtained information from our provider of what they will offer, and have tested and used the product we are looking at.

I can tell you that if I had not had all of this already done I would have been in deep doo-doo. He completely expected that I would be at this point. And he even expected more! He wanted to know what the product is going to cost and if that was the main consideration in our choice. Even though I had documentation from our provider of dates when thei solution would be available he kept pushing for a more concrete implementation date. All this even after I had a document in writing that from our provider that the product would absolutely allow compliance by year end and my statement that if the provider somehow ran into problems that we had a back up plan to contract directly with another company.

Then, the other thing that was crazy is he kept saying over and over that the risk assessment must "match" the solution you select. And not on a global basis, but on a transaction by transaction basis. I tried to tell him that our internet banking product, as well as the MFA solution, does not allow the authentication to be tailored to transaction types - that our solution would be for the entire internet banking product, not just certain transaction types. And then he said that constant "tweaking" to the risk assessment would be necessary to ensure that the solution we chose continued to "match" up with the risk assessment.

He also had in internal regulatory document with questions he used for the exam. Sure would be helpful if the banks actually had access to what the examiners are expecting when they walk in our doors!

Is this crazy or what??
_________________________
--A bad day at sea is better than a good day at work.

Return to Top
eBanking / Technology
#604295 - 08/24/06 04:04 PM Re: MFA Risk Assessment - From the examiner's mouth
califgirl Offline
Diamond Poster
califgirl
Joined: Mar 2002
Posts: 2,355
The O.C., California
Of course it's crazy!

Which regulator do you have? and, if you don't mind saying, who is your internet banking provider?

Do you have telephone banking, and did you address this?

My exam is coming in the next couple of months, so I'm a little anxious about this topic.
_________________________
I can explain it to you. I can't understand it for you.

Return to Top
#604296 - 08/24/06 06:29 PM Re: MFA Risk Assessment - From the examiner's mouth
Rubaiyat Offline
Diamond Poster
Joined: Jun 2001
Posts: 1,373
Lido Deck
I sent you a PM.
_________________________
--A bad day at sea is better than a good day at work.

Return to Top
#604297 - 08/25/06 01:15 PM Re: MFA Risk Assessment - From the examiner's mouth
KYAuditor Offline
100 Club
KYAuditor
Joined: Jan 2003
Posts: 138
Kentucky
We are scheduled for an exam in a couple of months and are not nearly as far along in the process as you are. Please share who your regulator is and what types of electronic banking products/services your bank offers. Any additional input that may help would be appreciated.

Thank you
_________________________
Just my 2 cents worth--for what its worth!!

Return to Top
#604298 - 08/25/06 03:21 PM Re: MFA Risk Assessment - From the examiner's mouth
MaryRink Offline
Gold Star
Joined: Jul 2003
Posts: 306
Northern MN
I would be interested in finding out also. You can PM me if you would prefer.

Return to Top
#604299 - 08/25/06 06:53 PM Re: MFA Risk Assessment - From the examiner's mouth
Dip Offline
Power Poster
Dip
Joined: Mar 2005
Posts: 6,298
San Diego, CA
Quote:

I sent you a PM.




hey! share the wealth!

it would be very valuable to knwo which regulator this was. i have a contact in IT at the OCC and he told me my risk assessment was fine. out IT exam begins in a couple weeks with the occ, so i'd really liek to knwo what to expect.
_________________________
Dabbling in banking, law, accounting...the life of a trustee.

Return to Top
#604300 - 08/25/06 08:28 PM Re: MFA Risk Assessment - From the examiner's mouth
Rubaiyat Offline
Diamond Poster
Joined: Jun 2001
Posts: 1,373
Lido Deck
Ok, ok, it was the OCC.
_________________________
--A bad day at sea is better than a good day at work.

Return to Top

Moderator:  Andy_Z