I've had an examiner in the bank this week doing an IT exam and thought I would pass along what he said about MFA in general, as well as the infamous risk assessment.
First, I feel like I was ahead of the game in that I had my comprehensive risk assessment complete and submitted to the board, have narrowed down my choice of product we will probably use, have obtained information from our provider of what they will offer, and have tested and used the product we are looking at.
I can tell you that if I had not had all of this already done I would have been in deep doo-doo. He completely expected that I would be at this point. And he even expected more! He wanted to know what the product is going to cost and if that was the main consideration in our choice. Even though I had documentation from our provider of dates when thei solution would be available he kept pushing for a more concrete implementation date. All this even after I had a document in writing that from our provider that the product would absolutely allow compliance by year end and my statement that if the provider somehow ran into problems that we had a back up plan to contract directly with another company.
Then, the other thing that was crazy is he kept saying over and over that the risk assessment must "match" the solution you select. And not on a global basis, but on a transaction by transaction basis. I tried to tell him that our internet banking product, as well as the MFA solution, does not allow the authentication to be tailored to transaction types - that our solution would be for the entire internet banking product, not just certain transaction types. And then he said that constant "tweaking" to the risk assessment would be necessary to ensure that the solution we chose continued to "match" up with the risk assessment.
He also had in internal regulatory document with questions he used for the exam. Sure would be helpful if the banks actually had access to what the examiners are expecting when they walk in our doors!
Is this crazy or what??