Answer:
On August 15, 2006, the FFIEC agencies published an FAQ on their October 2005 Guidance document. You can download a PDF copy of the FAQ here. The August document makes it clear that VRUs that can be used to obtain customer information or to transfer funds need to be reviewed for the adequacy of their access controls. Question 11 suggests strongly that single-factor authentication may not be sufficient for such as system: "Single-factor authentication alone would be adequate for electronic banking applications that do not process high-risk transactions, e.g., systems that do not allow funds to be transferred to other parties or that do not permit access to customer information."
First published on BankersOnline.com 9/25/06
print
share