Page 7 Volume 8, Issue 3
Internet banking guidance affects state examinations
The Bank Department’s Information Systems ex- amination group is devel- oping examination proce- dures in response to the supplemental guidance on Internet banking authenti- cation.
A supplement to the
“Authentication in an Internet Banking Environ- ment” guidance was issued on June 28, 2011, by the Federal Financial Institu- tions Examination Council (FFIEC).
The guidance was issued in October 2005. The purpose of the sup-
plement is to reinforce the risk management frame- work described in the origi- nal guidance. In addition, the supple- ment is intended to update the supervisory expecta- tions of the FFIEC mem- ber agencies “regarding customer authentication, layered security, or other controls in the increasingly hostile online environ- ment,” the supplement states.
Those agencies include
the Federal Deposit Insur- ance Corporation, Federal Reserve Board of Gover- nors, National Credit Un- ion Administration and Office of the Comptroller of the Currency. The State Liaison Com- mittee, which includes a representative from the Conference of State Bank
Supervisors, is a voting member of the FFIEC Council.
The FFIEC member agencies have directed ex- aminers to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012, the FFIEC states in a news release dated June 28. “The Bank Department
plans to implement proce- dures at Information Sys- tems examinations that reflect these enhanced expecta- tions,” said Jeff Cam- eron, super- visor of the agency’s Information Sys- tems group.
The 2005 guidance pro- vided a risk management framework for financial institutions offering Inter- net-based products and services to their customers. The guidance stated that institutions should use ef- fective methods - commen- surate with risks associated with their Internet-based offerings - to authenticate the identity of customers. The guidance provided minimum supervisory ex- pectations, stating that in- stitutions should perform periodic risk assessments and adjust their control mechanisms in response to changing internal and ex-
ternal threats. The supplement reiter- ates and reinforces the ex- pectations described in the 2005 guidance.
The supplement stresses
the need for performing risk assessments, imple- menting effective strategies for mitigating identified risks and raising customer awareness of potential risks. However, the sup- plement does not endorse any specific technology for doing so. The continued growth of electronic banking and greater sophistication of the associated threats have increased risks for financial institutions and their cus- tomers, both of whom have experienced substan- tial losses from on-line ac- count takeovers, the FFIEC states in the news release. Effective security is es-
sential for financial institu- tions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer infor- mation, and promote the legal enforceability of fi- nancial institutions’ elec- tronic agreements and transactions, the FFIEC adds.
A copy of the supple-
ment is located on the FFIEC Web site at:
September 30, 2011 Tom Field
Site dedicated as resource for guidance On-line publisher Infor-
mation Security Media Group has launched FFIEC Authentication Guidance, a “microsite” dedicated to providing in- depth news and views on the supplemental guidance issued on Internet banking. The site represents the
launch of Information Se- curity Media Group’s first Resource Center, according to an article published June 15, 2011, on the company’s BankInfoSecurity Web site. “The banking industry has never seen a greater need for new guidance on authentication, layered se- curity and customer aware- ness,” said Tom Field, edi- torial director of Informa- tion Security Media Group. There is a link to the Re- source Center on BankInfoSecurity’s Web site at:
See RESOURCE, Page 8
| Page 2
| Page 3
| Page 4
| Page 5
| Page 6
| Page 7
| Page 8