I know that the deadline for multifactor authentication is December 31, 2006, but our internet banking service provider indicated that a conversation with an FRB examiner led them to believe that as long as we have our risk assessment completed and the process started, we do not have to be in compliance by December 31st. I don't want to rely on one examiner's opinion, so I was wondering if anyone else had heard something similar.

Take a look at the FFIEC Q&A on this topic, in particular the questions on "Timing" on page 4.

The examiner doesn't appear to have any official backing for the statement he or she is alleged to have made. "Case by case basis" doesn't give me any warm fuzzies. I'd hold your service provider's feet to the fire on this.

Thanks, John!

From ICBA News Watch Today

"Scrambling to Meet Authentication Deadline
If your community bank or its services partner is scrambling to meet the year-end federal deadline for adopting multifactor authentication for online customer accounts, take heart. A report by Aite Group LLC found that one-third of largest 60 largest U.S. banks and brokerage firms won't be able to meet the deadline. The report also suggests that financial institutions look to batten down their telephone procedures and protocols with employees, as tighter online security might steer criminals to try more pretext calling schemes to obtain customer information next year."

Aite group is here

We are in the same boat as you are. we are an occ bank and they told us there would not be an mra or other action against us because we have conducted our risk assessment and are currently shopping for a vendor.

This whole issue is pretty confusing, especially when banks want to be on the up and up as Jan 1 approaches. The gov can't really enforce something that is so vague on paper can it... The technology part of it is simple in theory, stick it on the front-end and challenge customers that meet certain metrics( geolocational IPs or $$ limits). You can set your metrics very very low so as to challenge/ inconvenience the least number of customers. The hard part is the impact on service levels in your call centers and the extra call volume generated by this extra MA security layer, even with metrics set low. Do you implement all at once or try to do it on a state by state or branch by branch approach as your phone lines will be clogged with people who are learning and locked themselves out( maybe set-up a special 1800# for MA questions to limit impact on other callers. Also, will your MA be implemented the same for business customers and regular consumers? Gov isn't clear on this. Will you expect a business CFO to tell the MA answers he/she selects or the picture passcode to all the bookkeepers and managers that log-in to check the business accounts and does that really make it any safer then ?
I'd say as long as you are doing something internally you will be fine. The longer you wait to pick a vendor the more the vendors will have learned by other banks being their guinea pigs for these new methods of security

We have picked our vendor and are finally on the list. Last week of the year to be precise. I have been assured that since its the vendors delay and not ours, we as an FI are covered. The heat is on them.