The Federal Financial Institutions Examination Council (“FFIEC”) has issued a supplement to its guidance entitled Authentication in an Internet Banking Environment first issued in October 2005 (the “2005 Guidance”). The supplementary guidance issued on June 28 reinforces the risk-management framework described in the 2005 Guidance and updates the FFIEC member agencies’ supervisory expectations regarding customer authentication, layered security and other controls in what the FFIEC describes as an increasingly hostile online environment. The FFIEC noted that customers and financial institutions have experienced substantial losses from online account takeovers. The supplementary guidance emphasizes the need for performing risk assessments, implementing effective strategies for mitigating identified risks and raising customer awareness of potential risks. The new guidance recommends that institutions review and update their risk assessments at least every 12 months and consider factors such as changes in the customer base using Internet banking, changes in the functionality offered through Internet banking and actual incidents of security breaches, identity theft, or fraud. The FFIEC said that its member agencies have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplementary guidance beginning in January 2012.
Nutter Notes: The 2005 Guidance provides that depository institutions should use effective methods to authenticate the identity of Internet banking customers and that the techniques employed should be “commensurate with the risks associated with the products and services offered and the protection of sensitive customer information.” The 2005 Guidance provides minimum supervisory expectations for effective authentication controls applicable to high-risk online transactions involving access to customer information or the movement of funds to other parties. The 2005 Guidance also provides that institutions should perform periodic risk assessments and adjust their control mechanisms as appropriate in response to changing internal and external threats. The appendix attached to the new supplementary guidance contains a discussion of online threats and control methods that should be considered when performing a risk assessment of customer authentication controls. The supplementary guidance also discusses the effectiveness of certain methods of customer authentication. For example, the guidance warns that simple device identification, such as a “cookie” loaded on the customer’s personal computer, is less secure than other methods. According to the new guidance, the FFIEC member agencies no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique.