Highlights:
-
In 2005, the FFIEC issued guidance entitled Authentication in an
Internet Banking Environment.
-
This FFIEC guidance supplements the FDIC's supervisory expectations
regarding customer authentication, layered security, and other controls in
an increasingly hostile online environment.
-
The FDIC expects institutions to upgrade their controls for high-risk online
transactions through:
- Yearly risk assessments;
- For consumer accounts, layered security controls;
- For business accounts, layered security controls consistent with the
increased level of risk posed by business accounts; and
- More active consumer awareness and education efforts.
-
Layered security controls should include processes to detect and respond to
suspicious or anomalous activity and, for business accounts, administrative
controls.
-
Certain types of device identification and challenge questions should no
longer be considered effective controls.
Suggested
Distribution:
FDIC-Supervised Banks (Commercial and Savings)
Suggested Routing:
Chief Executive Officer
Chief Information Security Officer
Related
Topics:
- FIL-103-2005,
Authentication in an Internet Banking Environment, October 12, 2005
Attachment:
FFIEC Supplement to
Authentication
in an Internet Banking Environment - PDF (PDF
Help)
Contact:
Jeffrey Kopchik, Senior Policy Analyst, at jkopchik@fdic.gov or (703) 254-0459
Note:
FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web
site at www.fdic.gov/news/news/financial/2010/index.html.
To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html.
Paper copies of FDIC Financial Institution Letters may be obtained through the
FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA
22226 (1-877-275-3342 or 703-562-2200).
|