FFIEC Authentication Guidance

Posted By: AFaquir

FFIEC Authentication Guidance - 06/28/11 09:36 PM

Hooray its finally here... and we thought DFA was tough... at least we know about "banking."

Most of us don't know enough about Technology to pull this off! Good luck everybody!

FFIEC Final Authentication Guidance
Posted By: DEL

Re: FFIEC Authentication Guidance - 06/29/11 01:34 PM

I've just been reading through this- it looks very similar to the required SCI program at this point - assess the risk, show why the "layers" you have chosen address these risks. It seems like our need for the technology and non-technology areas of the bank to work together is increasing.
Posted By: Russ Horn

Re: FFIEC Authentication Guidance - 06/30/11 02:37 PM

On Friday, July 8th, beginning at 11:00am CDT, CoNetrix and the Michigan Bankers Association (MBA) are sponsoring a Free webinar reviewing the FFIEC Supplemental Guidance on Internet Banking Authentication. You can register by going directly to FFIEC Supplemental Guidance on Internet Banking Authentication webinar
Posted By: Lele

Re: FFIEC Authentication Guidance - 07/07/11 10:24 PM

The Guidance mentions having a more active consumer awareness & education efforts. We were thinking about having a brochure. Does anyone have one to use as a sample that they are willing to share?
Posted By: VMdude

Re: FFIEC Authentication Guidance - 07/18/11 07:33 PM

In order to add additional layers of security I have reviewed Trusteer's Rapport, Guardian Analytics, IronKey, my Internet banking vendor's token based solution for buisness banking. What are some other solutions out there that community bankers are considering for consumer Internet banking as well as business Internet banking?
Posted By: danyielg

Re: FFIEC Authentication Guidance - 07/18/11 08:07 PM

i just posted a similiar question. lol
Can you imagine how many times were gonna have to explain how to use a token? and then to replace them each time they get lost?
at our expense? Oh, and as I'm typing this I get a package from our correspondent bank with new tokens for me because there was a cyber attack on the company that provides our tokens. WOW!
So then who pays for them when that happens to us and we have to reissue everyone of our customer's tokens?
Posted By: Andy_Z

Re: FFIEC Authentication Guidance - 07/18/11 08:11 PM

I have not been through the guidance yet. ARe you not able to pass along the cost of replacement tokens as many banks do debit cards?
Posted By: BSAguy

Re: FFIEC Authentication Guidance - 07/19/11 07:49 PM

The thing I find odd is that the OCC has yet to publish anything on this FFIEC guidance while the FDIC put out a FIL over a week ago.
Posted By: Russ Horn

Re: FFIEC Authentication Guidance - 07/19/11 08:01 PM

I believe the OCC released a Bulletin (OCC 2011-26) titled Authenitication in an Internet Banking Environment on June 28, 2011 - basically it is just a statement about the Supplement from the FFIEC with the Supplement attached - see below:

OCC Bulletin 2011-26
Posted By: MidwestCFE

Re: FFIEC Authentication Guidance - 07/20/11 06:20 PM

I came from a bank that used tokens, now I'm at a bank that opted for OOB. Each come with their own pro's/con's, some we didn't expect on either side.No perfect system-all can be bypassed, so you really have to decide what you're willing to pay for, and what amount of headache & pushback you can tolerate from customers..lesser of the evils ??
We created a "Customer best Practices for online banking", and that's what we use as one tool in customer education. We still need to revise it for our current online banking system, but we are also creating a personal one.
Posted By: VMdude

Re: FFIEC Authentication Guidance - 07/22/11 04:12 PM

Andy, what bank are you doing business with? Your bank is passing along a debit card replacement fee?? We had to do away with that fee over 8 years ago in order to compete in our market area. I doubt that my community bank could pass on more than $3 of the replacement cost of a token device. If our business customers complain, we are told to refund the fee, so it's easier just to "no charge" them to begin with. Same thing with the Cash Management set-up fee; 95% of them are waived because the customer complains about the $35 one-time charge.

More specifically to the FFIEC questions, my Internet banking vendor is pushing One-Time-Passcodes. Ugh!!! As a customer of a competing bank that uses that method, I hate having to get a phone call or a text message to login. As a banker, I am certainly hoping for an alternative solution.
Posted By: AFaquir

Re: FFIEC Authentication Guidance - 07/22/11 08:03 PM

I just read an article... Password Strength which highlights that while most users are MO-rons when it comes to password strength and security... the fact we, and our service providers, allow them to be is the problem.

A previous poster is right, all systems have flaws, and customer inconvenience is a big concern... but we can and should do better with our user policies. I mean internally to our bank I have like a dozen logins of all varying lengths of all varying change cycles, its confusing, but if we didn't we would be killed by our regulators... We should expect similar from our customers, and if they want to be silly and use simple ones or write them down for the world to see, that really becomes their problem... not ours. The more we fight it, the more we will end up in bad shape as breaches occur. Just my opinion though...
Posted By: Bobw

Re: FFIEC Authentication Guidance - 08/03/11 07:31 PM

Does anyone have a risk assessment template they used that they are willing to share? I would like to update mine, and was wondering what others might look like?

Thanks if you can assist
Posted By: Double U

Re: FFIEC Authentication Guidance - 08/03/11 07:44 PM

I have one that I obtained through another source. Of course, the one I have may need to be tweeked a little with to meet some of the new authentication guidance. I would be willing to share if you are interested.
Posted By: Bobw

Re: FFIEC Authentication Guidance - 08/03/11 07:43 PM

that would be great, thx
Posted By: Baseball2013

Re: FFIEC Authentication Guidance - 08/03/11 08:04 PM

We're looking at one-time passwords via text, email or phone call, as that's what our vendor is offering as one of its FFIEC compliant alternatives.

We're not comfortable with the process or cost of issuing (and re-issuing) tokens, and the management of that process. Knowing how many of our customers lose their ATM cards - and how often, it doesn't seem to make sense to go in that direction (and we also charge customers for replacement cards).

We're also looking at implementing a solution which helps prevent against malware which our end-users may have unknowingly been installed on their computers or in their browsers, as well as man-in-the-middle and man-in-the-browser attacks, which the supplement addresses in greater detail in its appendix.
Posted By: Russ Horn

Re: FFIEC Authentication Guidance - 08/03/11 09:16 PM

Promotion of webinars and conferences must be approved by management and for vendors, through Tobi, Tobi@bankersonline.com.

Next Thursday, Aug. 3rd, we have a free webinar over the FFIEC Supplemental Guidance on Internet Banking Authentication. You can register by going to http://www.conetrix.com/Webinars.aspx]FFIEC Supplemental Guidance on Internet Banking authentication webinar or directly to ww2.gotomeeting.com/register/824743394 Register here

Thanks,
Russ
Posted By: Al Miller

Re: FFIEC Authentication Guidance - 08/04/11 03:43 PM

Russ, you must use a special calendar. grin

By my calendar, next Thursday is the 11th, and i'll be on the line.


Al
Posted By: Russ Horn

Re: FFIEC Authentication Guidance - 08/04/11 05:42 PM

Al, you are right... my bad... Thursday, the 11th blush
Posted By: MidwestCFE

Re: FFIEC Authentication Guidance - 08/04/11 06:38 PM

Originally Posted By: atmdude
In order to add additional layers of security I have reviewed Trusteer's Rapport, Guardian Analytics, IronKey, my Internet banking vendor's token based solution for buisness banking. What are some other solutions out there that community bankers are considering for consumer Internet banking as well as business Internet banking?

We use Guardian for personal & business. There are 2 kinds, one does logins only and the full integration will monitor amounts,etc.
We also use OOB isntead of tokens-seemed much better option. Both have pros/cons.
Posted By: MidwestCFE

Re: FFIEC Authentication Guidance - 08/04/11 06:41 PM

Originally Posted By: Baseball2011
We're looking at one-time passwords via text, email or phone call, as that's what our vendor is offering as one of its FFIEC compliant alternatives.

We're not comfortable with the process or cost of issuing (and re-issuing) tokens, and the management of that process. Knowing how many of our customers lose their ATM cards - and how often, it doesn't seem to make sense to go in that direction (and we also charge customers for replacement cards).

We're also looking at implementing a solution which helps prevent against malware which our end-users may have unknowingly been installed on their computers or in their browsers, as well as man-in-the-middle and man-in-the-browser attacks, which the supplement addresses in greater detail in its appendix.


I would NOT go with email for your OOB passwords. Hard lesson learned..when the hackers get into victim computer, they are often getting their emails too.so sending the secure access code to email it will be obtained by the hacker...speaking from experience.
Posted By: Baseball2013

Re: FFIEC Authentication Guidance - 08/24/11 04:13 PM

We've also looked into PhoneFactor, Entrust, Trusteer, SilverTail Systems and ThreatMetrix as other options - and are still evaluating.
Posted By: VMdude

Re: FFIEC Authentication Guidance - 08/25/11 03:08 PM

Thanks for listing the vendors that you are evaluating. There is a couple there that I have not reviewed. Next week I will be evaluating IDology. I stumbled across them in my research. I am looking for something effective, yet as unobtrusive as possible. That is probably just a dream.
Posted By: ndbanker

Re: FFIEC Authentication Guidance - 09/27/11 06:08 PM

We have work to do regarding the customer education requirements of the supplemental guidance. Has anyone partnered with a vendor to provide the content for educating customers? If so, can you share the vendor name and whether you have been satisifed?
Posted By: Andy_Z

Re: FFIEC Authentication Guidance - 09/28/11 07:38 PM

Just throwing out that discussions about vendors needs to be in the Private forums. What is here, listings, is fine, but critiques are different, if you take it to that level.
Posted By: Renee L.

Re: FFIEC Authentication Guidance - 10/25/11 01:36 AM

Double U, I would love to have a copy, if you'd care to share. Just don't know exactly where to start. (And by the way, Go CATS! Love your avatar.)
Posted By: New Manager

Re: FFIEC Authentication Guidance - 11/04/11 07:34 PM

Does anyone have a risk assessment template they would be willing to share? I am having a difficult time finding something. I'd rather not go the route of a narrative, but will if necessary. Thanks.
Posted By: mattm

Re: FFIEC Authentication Guidance - 11/07/11 03:35 PM

Does anyone have a risk assessment and customer education letter template you would be willing to share?

THanks!!
Posted By: Beachbum, CRCM

Re: FFIEC Authentication Guidance - 11/07/11 06:51 PM

echoing mfbmatt's request for a customer education letter template to use as a starting point. smile
Posted By: Cornfed Turtle

Re: FFIEC Authentication Guidance - 11/09/11 02:52 PM

What are your plans for the customer education piece? A competitor of ours says they are contracting with a vendor to deliver a newsletter periodically. I don't have any more details. Are you mailing? Posting on website? Taking the newsletter approach?
Posted By: EmilyAnn

Re: FFIEC Authentication Guidance - 11/17/11 07:51 PM

The San Francisco FRB webinar "Responding to the Cyber Threat: Interagency Supplement to Authentication in an Internet Banking Environment" conducted today (11/17/11) is worth listening to.

http://www.frbsf.org/banking/events/
Posted By: AnnR

Re: FFIEC Authentication Guidance - 11/17/11 10:10 PM

I also am looking for a risk assessment template from anyone willing to share. Thank you!
Posted By: complylady

Re: FFIEC Authentication Guidance - 11/22/11 09:35 PM

Bumping this back to the top. Has anyone created an Internet Banking Authentification notification form/letter for customers yet? And what are you putting on your bank website for customer information? Thanks.
Posted By: Matt_B

Re: FFIEC Authentication Guidance - 11/22/11 10:02 PM

I'm having trouble finding anything specific on this one way or another. Does it state anywhere when it is required to send out the customer education piece?
We have a basic idea of what we want to say, and can put it on the back of one of our monthly newsletters, but January's is already occupied with privacy info and we'd rather not have a second sheet, so they'd like to wait until February to send this out if possible. Any ideas?
Posted By: WHAT ?!?!

Re: FFIEC Authentication Guidance - 12/01/11 03:47 PM

I was curious to know how many banks have completed this or is everyone still figuring out what additional controls they are going to use and how to communicate all of this information to their customers.
Posted By: califgirl

Re: FFIEC Authentication Guidance - 12/01/11 05:16 PM

In relation to customer education, this site was recommended on another banking board. I'm thinking of linking it from our bank website.
http://onguardonline.gov/
Posted By: 'Lil Freak!

Re: FFIEC Authentication Guidance - 12/01/11 07:16 PM

We're doing the same as califgirl.
Posted By: banker1975

Re: FFIEC Authentication Guidance - 12/02/11 07:07 PM

Will FDIC approve this as "customer education" if the link is the only thing that is provided?
Posted By: mmumm

Re: FFIEC Authentication Guidance - 12/06/11 12:34 AM

We are looking into brochures by Bankstuffers, ABA and the FDIC also has a short video which they encourage to post on our website.

However, I think we'll need to supplement with a notice of our own, as the brochures dont contain bank-specific info about the Reg E protections provided, under what circumstances we would contact our customers to request their e-banking credentials, or a list of the bank's contacts for reporting info-security related events...
Posted By: QCL

Re: FFIEC Authentication Guidance - 12/15/11 03:17 PM

Originally Posted By: EmilyAnn
The San Francisco FRB webinar "Responding to the Cyber Threat: Interagency Supplement to Authentication in an Internet Banking Environment" conducted today (11/17/11) is worth listening to.

http://www.frbsf.org/banking/events/


Did anyone else listen to this?

If you have not listened to it - a word of warning - there are 2 clowns from the Fed in the background that are whispering the entire hour.
Posted By: Tigg

Re: FFIEC Authentication Guidance - 12/20/11 05:44 PM

The consumer education piece seems to be fairly easy to fulfill with free brochures, educational materials available at the FTC and the onlineonguard.gov websites.

Can anyone share how they are planning to educate their commercial customers and where you are finding any resources? Everything I've seen is geared toward consumers and kids.

Thanks.
Posted By: LA LA

Re: FFIEC Authentication Guidance - 12/21/11 07:15 PM

I agree Tigg. I am having a hard time coming up with something for business customers.

I found where there's been a referral to this site where businesses can find cyber security resources at http://www.us-cert.gov/. However, I can't seem to find any literature for distribution.

If someone has something, please let me know. Thanks.
Posted By: BSARocksagain

Re: FFIEC Authentication Guidance - 12/22/11 04:07 PM

Did anyone write a low-tech controls memo to bridge over until automated controls are in place or did you incorporate this into your Information Security Policy?
Posted By: sammylou

Re: FFIEC Authentication Guidance - 12/27/11 09:41 PM

We found a pretty good article that we intend to start with from a business education perspective. We will provide it to all existing business online banking customers and then new ones at the point of registration.

http://www.fsisac.com/files/public/db/p265.pdf

Seems very comprehensive and written in language most can understand.
Posted By: Compl101TX

Re: FFIEC Authentication Guidance - 12/30/11 10:23 PM

How can we comply with this part of the guidance on customer education?

-An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access.

Any suggestion will be greatly appreciated!
Posted By: JamesH

Re: FFIEC Authentication Guidance - 01/05/12 04:28 PM

Would you be willing to share the risk assessment with me too. I'm having trouble developing ours too.

James
Posted By: VMack

Re: FFIEC Authentication Guidance - 01/05/12 05:18 PM

Originally Posted By: E F B
How can we comply with this part of the guidance on customer education?

-An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access.

Any suggestion will be greatly appreciated!


I am at a loss as to how to incorporate language to meet this requirement into our customer education material. I know that the intent is to let our commercial customers know that "hey, Reg. E protections will not apply!" Has anyone had any thoughts about what this will look like in print? Thanks.
Posted By: Midnight

Re: FFIEC Authentication Guidance - 01/26/12 02:47 PM

Looks like onguardonline.gov has been hacked... See news link below.

http://www.pcadvisor.co.uk/news/security/3332466/us-government-online-security-website-hacked/
Posted By: VMdude

Re: FFIEC Authentication Guidance - 01/31/12 05:48 PM

I have just been told by an assoicate that Gladiator Technologies offers a 15 minute training video that can be customized with the bank's logo that addresses all the areas of constomer awareness. Some banks are using making the video mandatory for all new buisness banking clients that have ACH and wire TRF capability. Apparently there is a dashboard that provides execellent reporting for examiners. It might be worth a look.
Posted By: dg

Re: FFIEC Authentication Guidance - 02/13/12 11:58 PM

Has anyone added any of this guidance or referred to it, into their BSA Policy or Program?
Posted By: DD Regs

Re: FFIEC Authentication Guidance - 07/18/12 09:20 PM

We use OOB method. If a client states they can't use OOB, would we be able to have them sign a waiver stating they hold us blameless if their system is compromised?
Posted By: rlcarey

Re: FFIEC Authentication Guidance - 07/22/12 11:17 AM

Knowingly providing services in less than what is believed to be a secure environment would probably be a little hard to defend regardless of any such hold harmless agreement. That customer is either able to comply or cannot use the services is the only logical approach.
Posted By: Andy_Z

Re: FFIEC Authentication Guidance - 07/27/12 11:19 PM

Originally Posted By: DD Regs
If a client states they can't use OOB, would we be able to have them sign a waiver stating they hold us blameless if their system is compromised?


Read the PATCO decision or tune into this webinar. http://calendar.bollearningconnect.com/main.php?view=event&eventid=1341926976105

Banks are losing these suits as there are disputes over which system was compromised, was security adequate and now, was it reasonable.

A waiver isn't reasonable.