Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.

FFIEC Supplement to Authentication in an Internet Banking Environment

Information Technology / Cybersecurity
June 29, 2011
Summary: The FDIC, with the other FFIEC agencies, has issued the attached guidance, which describes updated supervisory expectations regarding customer authentication, layered security, and other controls in an increasingly hostile online environment. Financial institutions will be expected to comply with the guidance no later than January 1, 2012.

Statement of Applicability to Institutions with Total Assets under $1 Billion: This Financial Institution Letter applies to all FDIC-supervised institutions offering online banking services.

Highlights:
  • In 2005, the FFIEC issued guidance entitled Authentication in an Internet Banking Environment.
  • This FFIEC guidance supplements the FDIC's supervisory expectations regarding customer authentication, layered security, and other controls in an increasingly hostile online environment.
  • The FDIC expects institutions to upgrade their controls for high-risk online transactions through:
    • Yearly risk assessments;
    • For consumer accounts, layered security controls;
    • For business accounts, layered security controls consistent with the increased level of risk posed by business accounts; and
    • More active consumer awareness and education efforts.
  • Layered security controls should include processes to detect and respond to suspicious or anomalous activity and, for business accounts, administrative controls.
  • Certain types of device identification and challenge questions should no longer be considered effective controls.

Suggested Distribution:
FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:
Chief Executive Officer
Chief Information Security Officer

  • FIL-103-2005 , Authentication in an Internet Banking Environment, October 12, 2005

Note:
FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/financial-institution-letters/2010/index.html .

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html .

Paper copies of FDIC Financial Institution Letters may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200).

FIL-50-2011
Attachment(s)
FFIEC Supplement to Authentication in an Internet Banking Environment
Contact(s)
Jeffrey Kopchik, (703) 254-0459

Last Updated: June 29, 2011