I. INTRODUCTION
On October 13, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued a guidance entitled “Authentication in an Internet Banking Environment,” hereinafter referred to as the “Guidance,” applicable to both retail and commercial customers of financial institutions. The Guidance updates and replaces the FFIEC’s “Authentication in an Electronic Banking Environment” issued in 2001.
The primary purpose of the updated Guidance is to address the need for financial institutions to conduct risk-based assessments, evaluate customer awareness programs and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services.
The guidance requires financial institutions offering Internet-based and other forms of electronic banking products and services to their consumer and commercial customers to have reliable and secured methods to authenticate their customers. The requirement applies when the services are provided directly by the financial institution or indirectly by the financial institution’s service provider.
The FFIEC issued a supplement to the "Authentication in an Electronic Banking Environment” Guidance in 2011 (See, NBA Compliance Handbook, Vol. I, Security tab, "Supplemental Guidance on Internet Banking Authentication" article).
II. PURPOSE
Financial institutions engaging in any form of Internet banking should have effective and reliable methods to authenticate customers. An effective authentication system is necessary for compliance with requirements to safeguard customer information, to prevent money laundering and terrorist financing, to reduce fraud, to inhibit identity theft, and to promote the legal enforceability of their electronic agreements and transactions. The risks of doing business with unauthorized or incorrectly identified persons in an Internet banking environment can result in financial loss and reputation damage through fraud, disclosure of customer information, corruption of data, or unenforceable agreements.
There are a variety of technologies and methodologies financial institutions can use to authenticate customers. These methods include the use of customer passwords, personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types of “tokens”, transaction profile scripts, biometric identification, and others. (The appendix to the guidance contains a more detailed discussion of authentication techniques.) The level of risk protection afforded by each of these techniques varies. The selection and use of authentication technologies and methods should depend upon the results of the financial institution’s risk assessment process.
Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include “out–of–band” controls for risk mitigation.
The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.
III. AUTHENTICATION METHODS
The guidance reiterates the agencies’ longstanding insistence that authentication techniques used by financial institutions should be appropriate in light of the risks associated with particular products and services. It also states:
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Single-factor authentication tools, including passwords and PINs, have been widely used for a variety of Internet-banking and electronic commerce activities, including account inquiry, bill payment and account aggregation. However, financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming, malware (short for malicious software, such as software designed to capture and forward private information such as IDs, passwords, account numbers and PINs), and the evolving sophistication of compromise techniques. When risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multi-factor authentication, layered security or other controls reasonably calculated to mitigate those risks.
Authentication factors include one or more of the following:
Multi-factor authentication uses two or more of the above factors to verify a person’s identity.
IV. RISK ASSESSMENT
To implement the guidance, financial institutions should first perform a risk assessment of their Internet-banking systems. The risk should be evaluated according to the type of customer (consumer or commercial), customer transactional capabilities (bill payment, wire transfer, loan origination), the sensitivity of customer information communicated to the institution and the customer; the ease of using the communication method, and the transaction volume. Based on the risk assessment, financial institutions must determine the appropriate level of authentication.
An effective authentication program should be implemented to ensure that controls and authentication tools are appropriate for all of the financial institution’s Internet-based products and services. Authentication processes should be designed to maximize interoperability and should be consistent with the financial institution’s overall strategy for Internet banking and electronic commerce customer services. The level of authentication used by a financial institution in a particular application should be appropriate to the level of risk in that application.
A comprehensive approach to authentication requires development of, and adherence to, the institution’s information security standards, integration of authentication processes within the overall information security framework, risk assessments within lines of businesses supporting selection of authentication tools, and central authority for oversight and risk monitoring. This authentication process should be consistent with and support the financial institution’s overall security and risk management programs.
The method of authentication used in a specific Internet application should be appropriate and reasonable, from a business perspective, in light of the reasonably foreseeable risks in that application. Because the standards for implementing a commercially reasonable system may change over time as technology and other procedures develop, financial institutions and technology service providers should develop an ongoing process to review authentication technology and ensure appropriate changes are implemented.
The risk assessment process should:
V. ACCOUNT ORIGINATION AND CUSTOMER VERIFICATION
The guidelines provide that financial institutions use reliable methods of originating new customer accounts Online. Customer identity verification during account origination is required by Section 326 of the USA Patriot Act and is important in reducing the risk of identity theft, fraudulent account applications and unenforceable account agreements or transactions. The risks of accepting Internet or purely electronic customers are due to the lack of physical ques traditionally used to identify individuals.
One method to verify a customer’s identity is a physical presentation of a proof of identity credential such as a driver's license. Similarly, to establish the validity of a business and the authority of persons to perform transactions on its behalf, financial institutions typically review articles of incorporation, business credit reports, board resolutions identifying officers and authorized signers, and other business credentials. However, in an Internet banking environment, reliance on these traditional forms of paper-based verification decreases substantially. Accordingly, financial institutions need to use reliable alternative methods.
VI. MONITORING AND REPORTING
Monitoring systems can determine if unauthorized access to computer systems and customer accounts has occurred. A sound authentication system should include audit features that can assist in the detection of fraud, money laundering, compromised passwords, or other unauthorized activities. The activation and maintenance of audit logs can help institutions to identify unauthorized activities, detect intrusions, reconstruct events, and promote employee and user accountability. In addition, financial institutions should report suspicious activities to appropriate regulatory and law enforcement agencies as required by the Bank Secrecy Act.
Financial institutions should rely on multiple layers of control to prevent fraud and safeguard customer information. Much of this control is not based directly upon authentication. For example, a financial institution can analyze the activities of its customers to identify suspicious patterns. Financial institutions also can rely on other control methods, such as establishing transaction dollar limits that require manual intervention to exceed a preset limit.
Adequate reporting mechanisms are needed to promptly inform security administrators when users are no longer authorized to access a particular system and to permit the timely removal or suspension of user account access. Furthermore, if critical systems or processes are outsourced to third parties, management should ensure that the appropriate logging and monitoring procedures are in place and that suspected unauthorized activities are communicated to the institution in a timely manner. An independent party (e.g., internal or external auditor) should review activity reports documenting the security administrators’ actions to provide the necessary checks and balances for managing system security.
VII. CUSTOMER AWARENESS
Financial institutions should continue to make efforts to educate their customers. Since customer awareness is a key defense against fraud and identity theft, financial institutions should evaluate their consumer education efforts to determine if additional steps are necessary. Management should implement a customer awareness program and evaluate its effectiveness periodically. Methods to evaluate a program’s effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (ID/password), the number of clicks on information security links on Web sites, the number of statement stuffers or other direct mail communications, or the dollar amount of losses relating to identity theft.
VIII. CONCLUSION
An effective authentication system is necessary for compliance with requirements to safeguard customer information, to prevent money laundering and terrorist financing, to reduce fraud, to inhibit identity theft and to promote the legal enforceability of electronic agreements and transactions. The risks of doing business with unauthorized or incorrectly identified persons in an Internet-banking environment can result in financial loss and reputation damage through fraud, disclosure of customer information, corruption of data or unenforceable agreements.
The FFIEC Guidance attaches an appendix describing a variety of technologies and methodologies financial institutions can use to authenticate customers, including the use of passwords, personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types of “tokens,” transaction profile scripts and biometric identification. These technologies and methodologies can be accessed at the FFIEC Website at http://www.ffiec.gov/. The selection and use of authentication technologies and methods should depend on the results of the financial institutions risk assessment process.
APPENDIX:
Background. The term authentication, as used in this guidance, describes the process of verifying the identity of a person or entity. Within the realm of electronic banking systems, the authentication process is one method used to control access to customer accounts and personal information. Authentication is typically dependent upon customers providing valid identification data followed by one or more authentication credentials (factors) to prove their identity.
Customer identifiers may be a bankcard for ATM usage, or some form of user ID for remote access. An authentication factor (e.g. PIN or password) is secret or unique information linked to a specific customer identifier that is used to verify that identity.
Generally, the way to authenticate customers is to have them present some sort of factor to prove their identity. Authentication factors include one or more of the following:
Authentication methodologies are numerous and range from simple to complex. The level of security provided varies based upon both the technique used and the manner in which it is deployed. Single-factor authentication involves the use of one factor to verify customer identity. The most common single-factor method is the use of a password. Two-factor authentication is most widely used with ATMs. To withdraw money from an ATM, the customer must present both an ATM card (something the person has) and a password or PIN (something the person knows). Multifactor authentication utilizes two or more factors to verify customer identity. Authentication methodologies based upon multiple factors can be more difficult to compromise and should be considered for high-risk situations. The effectiveness of a particular authentication technique is dependent upon the integrity of the selected product or process and the manner in which it is implemented and managed.
Authentication Techniques, Processes, and Methodologies. Material provided in the following sections is for informational purposes only. The selection and use of any technique should be based upon the assessed risk associated with a particular electronic banking product or service.
Shared Secrets. Shared secrets (something a person knows) are information elements that are known or shared by both the customer and the authenticating entity. Passwords and PINs are the best known shared secret techniques but some new and different types are now being used as well. Some additional examples are:
The customer’s selection of a shared secret normally occurs during the initial enrollment process or via an offline ancillary process. Passwords or PIN values can be chosen, questions can be chosen and responses provided, and images may be uploaded or selected.
The security of shared secret processes can be enhanced with the requirement for periodic change. Shared secrets that never change are described as “static” and the risk of compromise increases over time. The use of multiple shared secrets also provides increased security because more than one secret must be known to authenticate.
Shared secrets can also be used to authenticate the institution’s Web site to the customer. This is discussed in the Mutual Authentication section.
Tokens. Tokens are physical devices (something the person has) and may be part of a multifactor authentication scheme. Three types of tokens are discussed here: the USB token device, the smart card, and the password-generating token.
USB Token Device - The USB token device is typically the size of a house key. It plugs directly into a computer’s USB port and therefore does not require the installation of any special hardware on the user’s computer. Once the USB token is recognized, the customer is prompted to enter his or her password (the second authenticating factor) in order to gain access to the computer system.
USB tokens are one-piece, injection-molded devices. USB tokens are hard to duplicate and are tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and credentials. The device has the ability to store digital certificates that can be used in a public key infrastructure (PKI) environment.
The USB token is generally considered to be user-friendly. Its small size makes it easy for the user to carry and, as noted above, it plugs into an existing USB port; thus the need for additional hardware is eliminated.
Smart Card - A smart card is the size of a credit card and contains a microprocessor that enables it to store and process data. Inclusion of the microprocessor enables software developers to use more robust authentication schemes. To be used, a smart card must be inserted into a compatible reader attached to the customer’s computer. If the smart card is recognized as valid (first factor), the customer is prompted to enter his or her password (second factor) to complete the authentication process.
Smart cards are hard to duplicate and are tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and credentials. Smart cards are easy to carry and easy to use. Their primary disadvantage as a consumer authentication device is that they require the installation of a hardware reader and associated software drivers on the consumer’s home computer.
Password-Generating Token - A password-generating token produces a unique pass-code, also known as a one-time password each time it is used. The token ensures that the same OTP is not used consecutively. The OTP is displayed on a small screen on the token. The customer first enters his or her user name and regular password (first factor), followed by the OTP generated by the token (second factor). The customer is authenticated if (1) the regular password matches and (2) the OTP generated by the token matches the password on the authentication server. A new OTP is typically generated every 60 seconds—in some systems, every 30 seconds. This very brief period is the life span of that password. OTP tokens generally last 4 to 5 years before they need to be replaced.
Password-generating tokens are secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability, and uniqueness of the OTPs substantially increase the difficulty of a cyber thief capturing and using OTPs gained from keyboard logging.
Biometrics. Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological or physical characteristic (something a person is). Physiological characteristics include fingerprints, iris configuration, and facial structure. Physical characteristics include, for example, the rate and flow of movements, such as the pattern of data entry on a computer keyboard. The process of introducing people into a biometrics-based system is called “enrollment.” In enrollment, samples of data are taken from one or more physiological or physical characteristics; the samples are converted into a mathematical model, or template; and the template is registered into a database on which a software application can perform analysis.
Once enrolled, customers interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the customer. The results of a live scan, such as a fingerprint, are compared with the registered templates stored in the system. If there is a match, the customer is authenticated and granted access.
Biometric identifiers are most commonly used as part of a multifactor authentication system, combined with a password (something a person knows) or a token (something a person has).
Various biometric techniques and identifiers are being developed and tested, these include:
• fingerprint recognition;
• face recognition;
• voice recognition;
• keystroke recognition;
• handwriting recognition;
• finger and hand geometry;
• retinal scan; and
• iris scan.
Two biometric techniques that are increasingly gaining acceptance are fingerprint recognition and face recognition.
Fingerprint Recognition - Fingerprint recognition technologies analyze global pattern schemata on the fingerprint, along with small unique marks known as minutiae, which are the ridge endings and bifurcations or branches in the fingerprint ridges. The data extracted from fingerprints are extremely dense and the density explains why fingerprints are a very reliable means of identification. Fingerprint recognition systems store only data describing the exact fingerprint minutiae; images of actual fingerprints are not retained. Fingerprint scanners may be built into computer keyboards or pointing devices (mice), or may be stand-alone scanning devices attached to a computer.
Fingerprints are unique and complex enough to provide a robust template for authentication. Using multiple fingerprints from the same individual affords a greater degree of accuracy. Fingerprint identification technologies are among the most mature and accurate of the various biometric methods of identification.
Although end users should have little trouble using a fingerprint-scanning device, special hardware and software must be installed on the user’s computer. Fingerprint recognition implementation will vary according to the vendor and the degree of sophistication required. This technology is not portable since a scanning device needs to be installed on each participating user’s computer. However, fingerprint biometrics is generally considered easier to install and use than other, more complex technologies, such as iris scanning. Enrollment can be performed either at the financial institution’s customer service center or remotely by the customer after he or she has received setup instructions and passwords. According to fingerprint technology vendors, there are several scenarios for remote enrollment that provide adequate security, but for large-dollar transaction accounts, the institution should consider requiring that customers appear in person.
Face Recognition - Most face recognition systems focus on specific features on the face and make a two- dimensional map of the face. Newer systems make three-dimensional maps. The systems capture facial images from video cameras and generate templates that are stored and used for comparisons. Face recognition is a fairly young technology compared with other biometrics like fingerprints.
Facial scans are only as good as the environment in which they are collected. The so-called “mug shot” environment is ideal. The best scans are produced under controlled conditions with proper lighting and proper placement of the video device. As part of a highly sensitive security environment, there may be several cameras collecting image data from different angles, producing a more exact scan. Certain facial scanning applications also include tests for liveness, such as blinking eyes. Testing for liveness reduces the chance that the person requesting access is using a photograph of an authorized individual.
Non-Hardware-Based One-Time-Password Scratch Card. Scratch cards (something a person has) are less-expensive, “low-tech” versions of the OTP generating tokens discussed previously. The card, similar to a bingo card or map location look-up, usually contains numbers and letters arranged in a row-and-column format, i.e., a grid. The size of the card determines the number of cells in the grid.
Used in a multifactor authentication process, the customer first enters his or her user name and password in the established manner. Assuming the information is input correctly, the customer will then be asked to input, as a second authentication factor, the characters contained in a randomly chosen cell in the grid. The customer will respond by typing in the data contained in the grid cell element that corresponds to the challenge coordinates.
Conventional OTP hardware tokens rely on electronics that can fail through physical abuse or defects, but placing the grid on a wallet-sized plastic card makes it durable and easy to carry. This type of authentication requires no training and, if the card is lost, replacement is relatively easy and inexpensive.
Out-of-Band Authentication. Out-of-band authentication includes any technique that allows the identity of the individual originating a transaction to be verified through a channel different from the one the customer is using to initiate the transaction. This type of layered authentication has been used in the commercial banking/brokerage business for many years. For example, funds transfer requests, purchase authorizations, or other monetary transactions are sent to the financial institution by the customer either by telephone or by fax. After the institution receives the request, a telephone call is usually made to another party within the company (if a business-generated transaction) or back to the originating individual. The telephoned party is asked for a predetermined word, phrase, or number that verifies that the transaction was legitimate and confirms the dollar amount. This layering approach precludes unauthorized transactions and identifies dollar amount errors, such as when a $1,000.00 order was intended but the decimal point was misplaced and the amount came back as $100,000.00.
In today’s environment, the methods of origination and authentication are more varied. For example, when a customer initiates an online transaction, a computer or network-based server can generate a telephone call, an e-mail, or a text message. When the proper response (a verbal confirmation or an accepted-transaction affirmation) is received, the transaction is consummated.
Internet Protocol Address (IPA) Location and Geo-Location. One technique to filter an online transaction is to know who is assigned to the requesting Internet Protocol Address. Each computer on the Internet has an IPA, which is assigned either by an Internet Service Provider or as part of the user’s network. If all users were issued a unique IPA that was constantly maintained on an official register, authentication by IPA would simply be a matter of collecting IPAs and cross-referencing them to their owners. However, IPAs are not owned, may change frequently, and in some cases can be “spoofed.” Additionally, there is no single source for associating an IPA with its current owner, and in some cases matching the two may be impossible.
Some vendors have begun offering software products that identify several data elements, including location, anonymous proxies, domain name, and other identifying attributes referred to as “IP Intelligence.” The software analyzes this information in a real-time environment and checks it against multiple data sources and profiles to prevent unauthorized access. If the user’s IPA and the profiled characteristics of past sessions match information stored for identification purposes, the user is authenticated. In some instances the software will detect out-of-character details of the access attempt and quickly conclude that the user should not be authenticated.
Geo-location technology is another technique to limit Internet users by determining where they are or, conversely, where they are not. Geo-location software inspects and analyzes the small bits of time required for Internet communications to move through the network. These electronic travel times are converted into cyberspace distances. After these cyberspace distances have been determined for a user, they are compared with cyberspace distances for known locations. If the comparison is considered reasonable, the user's location can be authenticated. If the distance is considered unreasonable or for some reason is not calculable, the user will not be authenticated.
IPA verification or geo-location may prove beneficial as one factor in a multifactor authentication strategy. However, since geo-location software currently produces usable results only for land-based or wired communications, it may not be suitable for some wireless networks that can also access the Internet such as cellular/digital telephones.
Mutual Authentication. Mutual authentication is a process whereby customer identity is authenticated and the target Web site is authenticated to the customer. Currently, most financial institutions do not authenticate their Web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed Web sites during the collection stage of an attack. The spoofed sites are so well constructed that casual users cannot tell they are not legitimate. Financial institutions can aid customers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the customer.
Techniques for authenticating a Web site are varied. The use of digital certificates coupled with encrypted communications (e.g. Secure Socket Layer, or SSL) is one; the use of shared secrets such as digital images is another. Digital certificate authentication is generally considered one of the stronger authentication technologies, and mutual authentication provides a defense against phishing and similar attacks.
Customer Verification Techniques. Customer verification is a related but separate process from that of authentication. Customer verification complements the authentication process and should occur during account origination. Verification of personal information may be achieved in three ways:
Another authentication method consists of the financial institution relying on a third party to verify the identity of the applicant. The third party would issue the applicant an electronic credential, such as a digital certificate, that can be used by the applicant to prove his/her identity. The financial institution is responsible for ensuring that the third party uses the same level of authentication that the financial institution would use itself.
IX. FREQUENTLY ASKED QUESTIONS
On August 15, 2006, the FFIEC issued the “Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment” to assist financial institutions and their technology service providers in understanding the FFIEC Guidance. The frequently asked questions are set forth below:
A. Scope
Q-1 What was the impetus for the regulators providing guidance regarding how customers should access electronic banking systems?
A-1 Since 2001 there have been improvements in authentication technologies, increasing incidents of fraud (including identity theft), and significant legal and technological changes regarding the protection of customer information.
Q-2 Does the guidance apply to telephone banking systems?
A-2 While the guidance focuses on Internet banking systems,its principles apply to all forms of electronic banking, including telephone banking systems
Q-3 Do the Agencies maintain a list of “approved” solutions?
A-3 No, the Agencies do not maintain a list of approved solutions.
Q-4 Is the Appendix to the guidance an “exclusive” list of solutions?
A-4 No, the Appendix is only a brief discussion of some of the technologies that the Agencies were aware of that could be used to address this issue.
Q-5 Does the guidance require the use of multifactor authentication?
A-5 No, the guidance does not call for the use of multifactor authentication. The use of multifactor authentication is one of several methods that can be used to mitigate risk as discussed in the guidance. However, the guidance identifies circumstances under which the Agencies would view the use of single-factor authentication as the only control mechanism as inadequate and conclude that additional risk mitigation is warranted.
Q-6 Does the guidance apply to both retail and commercial customers?
A-6 Yes, the guidance applies to both retail and commercial customers.
Q-7 Does the guidance apply to the retail use of credit and debit cards, including over the Internet? A-7 No, the guidance does not apply to the use of credit or debit cards.
Q-8 Does the guidance apply to correspondent banking?
A-8 The guidance applies to correspondent banking if the correspondent banking relationship uses an electronic banking system with high-risk functionality as described in the guidance.
Q-9 Does the guidance specify the use of hardware tokens for authentication?
A-9 No, the use of hardware tokens is one possible method for enhancing controls surrounding the authentication of customers.
Q-10 Are the Agencies recommending multifactor authentication over layered security or other compensating controls?
A-10 No, any of these controls may be an effective method to mitigate risk in accordance with the guidance, if properly implemented
Q-11 Are there banking applications where single-factor authentication as the only control mechanism would be adequate?
A-11 Single-factor authentication alone would be adequate for electronic banking applications that do not process high-risk transactions, e.g., systems that do not allow funds to be transferred to other parties or that do not permit access to customer information.
Q-12 Does the guidance apply to loan service companies?
A-12 The guidance applies to all financial institutions regulated by the Agencies
Q-13 Does the guidance apply to securities brokers?
A-13 The guidance applies to the same entities and information covered by the Interagency Guidelines Establishing Information Security Standards. The Securities and Exchange Commission has its own regulation on safeguarding customer information. See 17 C.F.R. 248.30.
Q-14 Can an institution perform a risk assessment and conclude that stronger authentication is not warranted?
A-14 An institution’s risk assessment may conclude that existing controls are appropriate. However, such a conclusion would not be justified if the institution’s electronic banking systems use single-factor authentication as their only control for high-risk transactions involving access to customer information or the movement of funds to other parties.
Q-15 If a financial institution has not experienced financial fraud or identity theft originating from its online banking system, should it nonetheless undertake risk mitigation steps in accordance with the guidance?
A-15 Yes, the guidance states that a financial institution’s risk assessment should consider appropriate risk-mitigation steps for both current and future risks. (Please refer to question 14.)
Q-16 Does the guidance apply to loan or deposit account applications submitted over the Internet by non-customers?
A-16 The guidance does not apply to applications submitted by non-customers. As the appendix to the guidance explains, customer verification during account origination is a related but separate process from that of authentication
Q-17 Does the guidance address mutual (e.g., institution-to-customer)authentication?
A-17 No, the guidance does not specifically address mutual authentication. However, mutual authentication may be an effective host authentication control mechanism and may be part of a layered security program.
Q-18 Would an institution meet the expectations of the guidance if it permits high- risk transactions through a system that relies on single-factor authentication as its only control mechanism provided that the institution chooses to reimburse customers for any losses associated with Internet fraud?
A-18 No, making customers whole for losses is not a substitute for adopting appropriate authentication measures or other controls described in the guidance.
Q-19 Does the guidance apply to call centers?
A-19 The principles of the guidance apply if a financial institution permits high-risk services to be performed through its call center.
B. Timing
Q-1 What do the Agencies expect institutions to have accomplished by year-end 2006?
A-1 The Agencies expect that institutions will complete the risk assessment and will implement risk mitigation activities by year-end 2006. The Agencies are not considering any general extension of the timing associated with this guidance.
Q-2 What if the financial institution or its technology service provider cannot implement a solution by year-end 2006?
A-2 The Agencies’ examiners will assess the adequacy of each financial institution’s authentication controls on a case-by-case basis.
C. Definitions
Q-1 Can you further clarify high-risk transactions involving the movement of funds to other parties and access to customer information?
A-1 The term “customer information” is defined in the guidance by reference to the Interagency Guidelines Establishing Information Security Standards. Financial institutions may also want to review the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The term “movement of funds to other parties” includes bill payment applications as well as the ability to transfer funds to a separate account maintained at the same depository institution but owned by a different party. Thus, any system that permits the movement of funds to other parties and/or the access to customer information, as defined previously, is “high-risk” necessitating stronger authentication or additional controls.
Q-2 What does the guidance mean when it refers to “layered security or other controls reasonably calculated to mitigate those risks?”
A-2 The term “layered security” includes other risk-mitigating controls that would not strictly be considered multifactor authentication. The reference to “other controls” includes other mitigating controls that exist today or that may be introduced in the future.
D. Risk Assessment
Q-1 What type of documentation is contemplated for the risk assessment? Do the Agencies have a template that financial institutions should use?
A-1 The guidance is not specific in this regard and the Agencies do not have a template for such risk assessments. However, financial institutions seeking general information on risk assessments may refer to the Small Entity Compliance Guide for the Interagency Guidelines Establishing Information Security Standards and the FFIEC IT Examination Handbook, Information Security Booklet.
Q-2 Can a financial institution rely on its Internet banking system provider to perform the risk assessment?
A-2 Yes, however, the institution is ultimately responsible for managing risk and should perform appropriate due diligence as required when selecting a service provider. The institution may accept a risk assessment performed by the service provider after the institution has ensured that the assessment is accurate and the solutions are sufficient to mitigate the risks to the financial institution and its customers.
Q-3 Does the guidance provide that financial institutions will assess the risks regarding authentication on a yearly basis?
A-3 No, however the Interagency Guidelines Establishing Information Security Standards require that an institution’s information security program be monitored, evaluated, and adjusted as appropriate in light of changes in technology, the sensitivity of customer information, internal and external threats to information, the institution’s changing business arrangements, and changes to customer information systems. These same criteria apply to re-evaluating the institution’s Internet banking controls.
Q-4 Can a financial institution for go the risk assessment and move immediately to implement additional authentication controls?
A-4 No, because the guidance is risk-based, a risk assessment that sufficiently evaluates the risks and identifies the reasons for choosing a particular control should be completed.
Q-5 Should the risk assessment specifically consider the risks of phishing, pharming, and malware?
A-5 Yes, these are some of the vulnerabilities that are specifically mentioned in the guidance. Other factors appropriate for consideration in the risk assessment include reputation risk, harm to the customer, transaction risk, and other reasonably foreseeable threats.
E. Customers
Q-1 May an institution permit customers to “opt-out” of additional authentication controls?
A-1 No, the Agencies believe that permitting customers to opt-out is not an effective risk mitigation strategy and would undermine the effectiveness of the control. In addition, this would not address reputation risk to the institution. However, an institution may permit customers to choose between different authentication options provided the options offered are consistent with the guidance.
Q-2 The guidance also discusses a customer awareness program that includes periodic evaluations. How do the Agencies envision that this would be implemented?
A-2 An institution may implement a customer awareness program in a number of ways, including making information available on the institution’s website, in statement stuffers or other direct mail communication, or at branch offices. The institution may track the number of times customers click on an information security hotlink or the amount of written material disseminated. The Agencies understand that institutions cannot force customers to access or read such information.
F. Technology Service Providers
Q-1 Will the Agencies assess the progress of technology service providers prior to year- end 2006?
A-1 The Agencies are assessing efforts being made by technology service providers to conform with the guidance as part of the ongoing interagency supervisory process.
Q-2 Should an institution rely on the authentication technique chosen by its service provider?
A-2 The institution remains ultimately responsible for the adequate authentication of transactions involving access to customer information or movement of funds to other parties. This responsibility includes ensuring that the authentication techniques chosen by its service providers are appropriate for the institution’s services.
G. Appendix
Q-1 Would two-factor authentication include using two of the same type of factor (e.g., two different passwords) if they are used at different points in the applications?
A-1 By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication.
Q-2 Is a user logon ID considered one of the factors in multifactor authentication?
A-2 No, because user logon IDs are not secret.
Q-3 Are there authentication methods that an institution can implement without customer involvement?
A-3 An institution can implement authentication controls with varying degrees of customer involvement. Some solutions can be implemented with virtually no customer interaction while others require significantly more