Internet Transaction Security

The Federal Financial Institutions Examination Council recently released a set of answered frequently asked questions to help financial institutions and their technology service providers in understanding its October 2005 Internet security guidance, the Authentication in an Internet Banking Environment.

The FAQs reflect questions FFIEC has received from financial institutions, examiners, and technology service providers, and “assess risks in their Internet-based products and services and determine appropriate authentication solutions for permitting access to systems that process high risk transactions involving the movement of funds to other parties or access to customer information.”

The guidance applies to all forms of electronic banking, including telephone banking systems, according to the council, which consists of the Federal Reserve Board, Federal Deposit Insurance Corp., National Credit Union Administration, Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

Additionally, the Internet security guide applies to all financial institutions regulated by the council agencies, as well as to loan service companies, correspondent bankers if in fact the correspondent banking relationship uses an electronic banking system with high-risk functionality, and to call center centers that perform high-risk services.

The FFIEC also cleared that it is not a requirement to use multifactor authentication and that this is not preferred over layered security or other compensating controls, as it is one of several methods that can mitigate risk. However, the council warned that the guidance does identify circumstances in which the use of a single-factor authentication as the only control mechanism would be viewed as inadequate and conclude that additional risk mitigation is warranted.

Single-factor authentication as the only control would be adequate for electronic banking systems that do not permit access to consumer information or movement of funds to other parties, but this type of authentication would not meet guidance expectations even if an institution chooses to reimburse customers for any losses associated with Internet fraud, the FAQ document said.

Applications submitted by non-customers are not subject to the guidance rules, as customer verification during account origination is a related but separate process from that of authentication, according to the document.

Financial institutions are expected to complete the risk assessment and implement risk mitigation activities by yearend 2006. If a solution has not been implemented by then, the agencies said they will assess the adequacy of each financial institution’s authentication controls on a case-by-case basis.

The council reminded that Internet banking system providers can be chosen to perform risk assessment, but financial institutions are ultimately responsible for managing risk and should perform appropriate due diligence when selecting a service provider. The council is currently assessing progress efforts being made by technology service providers to conform with the guidance as part of the ongoing interagency supervisory process.

Rather than assessing risks regarding authentication on a yearly basis, the guide requires an institution’s information security program to be “monitored, evaluated, and adjusted as appropriate in light of changes in technology, the sensitivity of customer information, internal and external threats to information, the institution’s changing business arrangements, and changes to customer information systems. These same criteria apply to re-evaluating the institution’s Internet banking controls.”

The agencies also remind lenders to not forego risk assessment and opt for immediately implementing additional authentication controls because the guidance is risk-based, thereby an assessment that sufficiently evaluates the risks and identifies the reasons for choosing a particular control should be completed.