Federal Financial Institutions Examination Council
|For Immediate Release||October 12, 2005|
FFIEC Releases Guidance on Authentication in Internet Banking Environment
The Federal Financial Institutions Examination Council (FFIEC) today released updated guidance on the risks and risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services. The guidance, Authentication in an Internet Banking Environment, was issued to reflect the many significant legal and technological changes with respect to the protection of customer information, increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies.
The continued growth of Internet banking and other forms of electronic banking activities and the increased sophistication of threats to those environments have resulted in higher risks for financial institutions and their customers. An effective authentication system is necessary for financial institutions' compliance with requirements to safeguard customer information; to prevent money laundering and terrorist financing; to reduce fraud and the theft of sensitive customer information, often the precursor to identity theft; and to promote legal enforceability of financial institutions' electronic agreements and transactions.
This guidance, which replaces the FFIEC's Authentication in an Electronic Banking Environment issued in 2001, does not endorse any particular technology. This guidance specifically addresses the need for risk-based assessment, customer awareness, and financial institutions' implementation of appropriate risk mitigation strategies including security measures to reliably authenticate customers accessing their financial institutions' Internet-based services.
The guidance is divided into two parts. The main portion of the guidance provides financial institutions with guidance on authentication and discusses appropriate risk assessments, customer authentication, verification of new customers, and monitoring and reporting. An appendix provides more detail about various authentication technologies.
The agencies' transmittal documents accompanying the guidance contain a consistent timeframe for financial institutions to achieve conformance. In light of the catastrophic events associated with recent natural disasters, namely Hurricanes Katrina and Rita, affected financial institutions will face many challenges during the recovery process. These challenges may affect their ability to conform to the guidance within the specified time frame. Affected financial institutions will be afforded an extension, when circumstances warrant, for achieving conformance with the guidance.
A copy of the guidance is attached (PDF).
The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions. The Council has five member agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. The Council's activities are supported by interagency task forces and by an advisory State Liaison Committee, comprised of five representatives of state agencies that supervise financial institutions.