In the process of risk assessing our Internet based products, the question, "is this guidance for customer access only?" The bank accesses and manages customer accounts with a vendor across the Internet. Does this guidance only address customer access or does it include the bank's access to customer accounts with the vendor?

I believe it is between the customer. But I believe the bank and its vendors are expected to already have higher standards, such as revising passwords every 90 days or so, longer and more difficult passwords, etc.

One of the FAQs that came out on 8/15/06 stated that this guidance applied to call centers. Any ideas on how to implement cost effective multi-factor authentication at a bank call center? Our customers can request various disbursements from there accounts - wires, ACH, cashier checks, etc.

If your customers are able to initiate third party payments through your call center, your confirmation of customer identity is critical. There are a number of methods for doing so. One that is quite effective is for the customer to establish a call-back telephone number for the bank to use. When the customer initiates a request, the call center calls the customer back, but only at the pre-determined number. Challenge questions can also be somewhat effective. In both cases, the bank must maintain strict compliance with the routine, and insist that customers adhere to it, too.

Thanks for your reply. Challenge questions are another form of what the customer knows - like an ID and password. We use these already. Call back procedures work if the customer is calling from one of their pre-registered phone numbers but is not efficient. Any other ideas of a something they have or something they are? Voice print authentication (something they are) is expensive and time consuming to roll out for an Internet bank with no branches. Smart cards that generate random numbers would be another option but again expensive and difficult to maintain across 150,000+ customers. I am hoping that someone out there has a brillant idea.

I would think that if you use challenge questions you would want to have a different set of 5 questions for online based vs. questions for customer service initiated transactions. No CSR should ever see the online challenge answers the customer selected, only the read-only answers for call center initiated requests. To be super safe, only allow call center questions to be designated or modified by a branch visit from the customer where photo ID can be checked ( this also gives a branch cross sale opportunity . Those customers that prefer safe banking will self service online and others wanting the human touch wil not be put-off by these basic challenge question requirements and having to visit the bank to set up the convenience service of CSR initiated bill payments and transfers ( for a modest per transaction fee .

Geek ... with challenge questions ... it seems you have single-factor authentication only (something the customer knows -- User ID/Password and answers to challenge questions). Will this be acceptable given the multi-factor authentication expectations of the regulators?

Thanks Dazed and Confused, most call centers only use multiple "what you knows". Geek - unfortunately we are an Internet only bank with only one teller open 4 hours a day and a nation-wide customer base. Not able to rely on a customer coming to a branch to verify ID. We use the non-documentary approach to CIP, for example. Anyone else facing this dilemna?