Digital Transactions Authoritative, insightful and timely information for payments professionals
Seeking to address industry uncertainty about its guidelines on online-banking security, the Federal Financial Institutions Examination Council this week released a set of clarifications it says addresses “a representation” of questions it has received from banks, technology companies, and banking examiners. This latest document from the FFIEC, an agency that embraces five federal banking regulatory bodies, says among other things that its guidance on online security, released last October, does not mandate multifactor authentication for Internet access. This may be the most surprising explanation emerging from the document, given that many bankers?along with security-software firms eager to sell to banks?have assumed otherwise. When released last fall in response to a fast-growing plague of online viruses and phishing frauds, the guidance created a stir in banking and Internet circles because it appeared to require banks to adopt, by the end of 2006, authentication systems going beyond conventional user-name/password techniques for such functions as online bill payment and for access to customer data (Digital Transactions News, Oct. 26). It also set off a land rush among technology vendors hoping to capitalize on the sense of urgency created by the guidance?and triggered a host of questions about such matters as the type of technology the FFIEC is looking for and how soon it expects implementation. Posed in the form of 35 frequently asked questions, the clarifications issued this week cover ground ranging from the scope of the guidance to customer outreach to matters of risk assessment. In addressing techniques to identify online users, the new document says the guidance “does not call for the use of multifactor authentication.” It says such technology, which relies on one factors of identity beyond a password, “is one of several methods that can be used to mitigate risk as discussed in the guidance.” While the document does not go into detail about other risk-mitigation tools banks can use, it refers to so-called layered security or other “compensating controls” as methods that would be in accord with the guidance. As an example later in the document, the FFIEC says the use of two or more passwords at different points during an online session could be “part of a layered-security or other compensating-control approach.” The agency, however, is clear that it regards single-factor authentication alone as inadequate for transactions involving the transfer of funds or access to customer data. On the question of what the regulatory agencies expect banks to have done by the end of this year, the FFIEC takes a tough stance. This week's document says they should complete risk assessments and “implement risk-mitigation activities.” As for the year-end deadline, “the agencies are not considering any general extension of the timing associated with this guidance,” the document says. Other parts of the document explain that the guidance does not apply to credit and debit cards when used on the Internet, that banks can't skirt the guidance by promising to make customers whole for fraud losses, and that banks must perform risk assessments, even if they are prepared to implement strong authentication right away. Based in Washington, D.C., the FFIEC standardizes bank-examination methods for the Federal Deposit Insurance Corp., the Federal Reserve, the National Credit Union Administration, and the Office of the Comptroller of the Currency. A copy of the FAQ document is available at www.ffiec.gov/pdf/authentication_faq.pdf
