Mortgage Daily Logo
mortgage news from industry experts

Internet Transaction Security

Internet Transaction Security

FFIEC issues guidance

August 29, 2006


photo of Coco Salazar
Recently issued guidance directs regulated financial institutions as to the level of security required for various types of activities and transactions executed online.

The Federal Financial Institutions Examination Council recently released a set of answered frequently asked questions to help financial institutions and their technology service providers in understanding its October 2005 Internet security guidance, the Authentication in an Internet Banking Environment.

The FAQs reflect questions FFIEC has received from financial institutions, examiners, and technology service providers, and “assess risks in their Internet-based products and services and determine appropriate authentication solutions for permitting access to systems that process high risk transactions involving the movement of funds to other parties or access to customer information.”

The guidance applies to all forms of electronic banking, including telephone banking systems, according to the council, which consists of the Federal Reserve Board, Federal Deposit Insurance Corp., National Credit Union Administration, Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

Additionally, the Internet security guide applies to all financial institutions regulated by the council agencies, as well as to loan service companies, correspondent bankers if in fact the correspondent banking relationship uses an electronic banking system with high-risk functionality, and to call center centers that perform high-risk services.

The FFIEC also cleared that it is not a requirement to use multifactor authentication and that this is not preferred over layered security or other compensating controls, as it is one of several methods that can mitigate risk. However, the council warned that the guidance does identify circumstances in which the use of a single-factor authentication as the only control mechanism would be viewed as inadequate and conclude that additional risk mitigation is warranted.

Single-factor authentication as the only control would be adequate for electronic banking systems that do not permit access to consumer information or movement of funds to other parties, but this type of authentication would not meet guidance expectations even if an institution chooses to reimburse customers for any losses associated with Internet fraud, the FAQ document said.

Applications submitted by non-customers are not subject to the guidance rules, as customer verification during account origination is a related but separate process from that of authentication, according to the document.

Financial institutions are expected to complete the risk assessment and implement risk mitigation activities by yearend 2006. If a solution has not been implemented by then, the agencies said they will assess the adequacy of each financial institution’s authentication controls on a case-by-case basis.

The council reminded that Internet banking system providers can be chosen to perform risk assessment, but financial institutions are ultimately responsible for managing risk and should perform appropriate due diligence when selecting a service provider. The council is currently assessing progress efforts being made by technology service providers to conform with the guidance as part of the ongoing interagency supervisory process.

Rather than assessing risks regarding authentication on a yearly basis, the guide requires an institution’s information security program to be “monitored, evaluated, and adjusted as appropriate in light of changes in technology, the sensitivity of customer information, internal and external threats to information, the institution’s changing business arrangements, and changes to customer information systems. These same criteria apply to re-evaluating the institution’s Internet banking controls.”

The agencies also remind lenders to not forego risk assessment and opt for immediately implementing additional authentication controls because the guidance is risk-based, thereby an assessment that sufficiently evaluates the risks and identifies the reasons for choosing a particular control should be completed.

Coco Salazar is an assistant editor and staff writer for

Popular posts

How Long Does It Take to Refinance a Mortgage
How Long Does It Take to Refinance a Mortgage

So, you’re interested in refinancing your mortgage. Maybe you want some extra capital to do that home project you’ve always dreamed of, interest rates are nearing record lows, or you want to start consolidating debt. Regardless of the motivation behind the refinance,...

How Does Refinancing a Mortgage Work
How Does Refinancing a Mortgage Work

A home purchase is considered an investment, and a robust one at that. Savvy owners are constantly looking for new ways to reduce debt, save money, pay less in interest, and ultimately build equity. Refinancing is one way to leverage your investment and do just that....

What Does It Mean to Refinance Your Home
What Does It Mean to Refinance Your Home

You can think of refinancing your mortgage as a debt redo. Essentially, you’ll swap out the existing loan for a new one - ideally with better terms and conditions. Only this time it could help you save money on high mortgage payments, rather than just borrow it....

Setting up the Utilities in My New House
Setting up the Utilities in My New House

All the tedious, time-consuming home closing documents have been signed, sealed, and delivered. Your belongings are packed into what seems like a million boxes and you have a solid plan to haul all your existing furniture to the new place. Just as your boxes and...

When Is My First Mortgage Payment Due?
When Is My First Mortgage Payment Due?

Navigating your way through a brand new mortgage loan can be a difficult task, especially for first time homeowners. After handing over a large sum of money for the down payment and closing costs, it’s important to pay attention to the timing of your first mortgage...


Don’t worry, we don’t spam

calculate your monthly mortgage payment

Related Topics

Helpful Links

Daily mortgage rate trends

Best mortgage lenders

First-time homebuyers programs by state

Loan limits by state

Types of mortgages

APR vs interest rate

Understanding PMI

Related Posts