Our bank is about to go to a new internet banking provider and they are offering this double authentication on what they are selling us. First of all, are all banks REQUIRED to have this? Secondly, what agency is mandating that this be done? thanks

Yes, banks are required to have multi-factor authentication implemented by December 31, 2006.

Here's a link to the FFIEC press release regarding the issue, from back in October of 2005. It should link you to whatever other information you need.

Jeff Patterson and Mary Beth Guard are scheduled to deliver a terrific webinar dealing with multi-factor authentication on September 20, 2006. With just four months to go before your bank should have this "buttoned up" -- at least a first time -- this webinar may be just the thing for you to figure out what's up with multi-factor authentication. Click on THIS LINK to learn more.

On the information that you provided me it states, "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties." How would you define "high-risk transactions" and "movement of funds to other parties"? thanks

In regard to internet-banking transactions ...

Some examples of high-risk transactions include (a) customer-initiated funds transfer orders; (b) customer-initiated bill-pay requests; and (c) ACH files created by the customer and transmitted to the bank for processing.

Some banks solely rely on the "cookie" that is on the customer's computer to authenticate wire transfer orders and ACH files that are received through the internet-banking system ... meaning if the bank receives the order/file from that computer with the cookie ... it will be processed without further verification procedures. (Because the internet-banking agreement states the customer is responsible for the security of his/her computer and for administering proper security measures over the User ID and password).

As for transactions that involve the movement of funds to other parties ... refer to the applicable examples above.

It is my understanding that we will consider a high risk transaction to be one that is outside of your normal pattern (i.e., different IP address, type of transaction or dollar amount that is unusual for you). If this occurs, you will be prompted for challenge question before allowing to proceed.

BrendaC ... that makes sense. The examples I provided are pretty much run-of-the-mill internet banking transactions ... as opposed to really being "high risk" transactions. But do bill-pay requests and wire transfer orders qualify as "movement of funds to outside parties" ... and if so ... is two-factor authentication then required?

Also ... in regard to the "high risk" definition that you provided (e.g., internet banking activity that is outside the normal pattern of the customer's behavior) ... who establishes the "normal and acceptable" range of activity... the bank or the internet banking service provider?

The FFIEC guidance defines high-risk transactions as "any system that permits the movement of funds to other parties and/or the access to customer information ... (thus) necessitating stronger authentication or additional controls."

And contrary to prior posts -- including my own -- the agencies do not require multi-factor authentication in all instances. Refer to the inter-agency FAQ that was recently released ...

http://www.ffiec.gov/press/pr081506.htm

[Does anyone have a Multi-Factor Authentication Risk Assesment example document?]