Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.

FFIEC Guidance Authentication in an Internet Banking Environment

Information Technology / Cybersecurity
October 12, 2005


Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, “Authentication in an Internet Banking Environment.” For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution’s progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.

Highlights:
  • Financial institutions offering Internet-based products and services should use effective methods to authenticate the identity of customers using those products and services.
  • Single-factor authentication methodologies may not provide sufficient protection for Internet-based financial services.
  • The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
  • Risk assessments should provide the basis for determining an effective authentication strategy according to the risks associated with the various products and services available to on-line customers.
  • Customer awareness and education should continue to be emphasized because they are effective deterrents to the on-line theft of assets and sensitive information.

Distribution:
FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:
Chief Executive Officer
Chief Information Security Officer

  • FIL-66-2005, Guidance on Mitigating Risks From Spyware, issued July 22, 2005
  • FIL-64-2005, Guidance on How Financial Institutions Can Protect Against Pharming Attacks, issued July 18, 2005
  • FIL-27-2004, Guidance on Safeguarding Customers Against E-Mail and Internet Related Fraud, issued March 12, 2004
  • FFIEC Information Security Handbook, issued November 2003
  • Interagency Informational Brochure on Phishing Scams, contained in FIL-113-2004, issued September 13, 2004
  • Putting an End to Account- Hijacking Identity Theft, FDIC Study, issued December 14, 2004
  • FDIC Identity Theft Study Supplement on Account-Highjacking Identity Theft, issued June 17, 2005

Note:
FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/financial-institution-letters/2005/index.html .

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html .

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).



FIL-103-2005
Attachment(s)
FFIEC Guidance: Authentication in an Internet Banking Environment
Contact(s)
Senior Policy Analyst Jeffrey Kopchik at or, or Senior Technology Specialist Robert D. Lee at rolee@fdic.gov, (202) 898-3872

Last Updated: October 12, 2005