skip to main navigation skip to secondary navigation skip to content
Board of Governors of the Federal Reserve System
skip to content
Board of Governors of the Federal Reserve System

Supervision and Regulation Letters

SR 11-9

Interagency Supplement to Authentication in an Internet Banking Environment

June 29, 2011

Seal of the Board of Governors of the Federal Reserve System
BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C.  20551
DIVISION OF BANKING
SUPERVISION AND REGULATION
SR 11-9
June 29, 2011
TO THE OFFICER IN CHARGE OF SUPERVISION AND APPROPRIATE SUPERVISORY AND EXAMINATION STAFF AT EACH FEDERAL RESERVE BANK
SUBJECT:   Interagency Supplement to Authentication in an Internet Banking Environment
The Federal Reserve Board, together with the other members of the Federal Financial Institution Examination Council (FFIEC) (collectively, the agencies) have issued the attached guidance titled "Supplement to Authentication in an Internet Banking Environment" (Supplement), which supplements the similarly titled guidance issued by the FFIEC in 2005. Given heightened and evolving cyber threats in the online environment, the supplement reinforces the original risk-management framework guidance and updates the agenciesí expectations for supervised financial organizations regarding customer authentication, layered security, and other controls. Going forward, organizations supervised by the agencies should look to both the 2005 FFIEC authentication guidance and this Supplement to understand the agenciesí risk-management expectations for controls within Internet and other electronic banking environments.

In brief, the Supplement is intended to enhance supervised organizationsí Internet banking control environments. Accordingly, the supplement clarifies and increases supervisory expectations in the areas of online activity risk assessments, customer authentication, layered security controls, and customer awareness and education programs. Most importantly, the Supplement outlines an expectation that organizations implement layered security relative to "high-risk" transactions, including the capability to identify and respond to suspicious or anomalous authentication and transaction requests.

The Supplement and the 2005 guidance address banking organizationsí online banking activities relative to both consumer and commercial customers, do not prescribe nor endorse any particular technology, discourage over reliance on any single control mechanism, and are applicable whether the organization offers such services through an in-house platform, using purchased or self-developed applications, or through a technology service provider. Further, the expectations contained in these releases represent risk-management guidance intended to improve the baseline security posture of institutions with routine online banking activities. The individual expectations in the guidance are not explicit mandates; institutions with low or limited risk in their online activities may demonstrate satisfactory risk management through the deployment of other compensating controls.

Federal Reserve examiners should assess state-member banks and bank holding companies under the enhanced expectations outlined in the Supplement beginning in 2012 within the risk-focused supervision process. Until that time, examiners should begin to assess these organizationsí plans and progress in meeting the enhanced expectations.

The agencies plan to conduct interagency examiner training relative to this Supplement in the near term. Federal Reserve Banks are asked to distribute this letter and the Supplement to banking organizations supervised by the Federal Reserve, as well as to their examination staff. Any questions regarding this supplement or the original FFIEC guidance should be directed to Adrienne Haden, Assistant Director, Operational and IT Risk Policy, at (202) 452-2058, or Brad Beytien, Manager, Operational and IT Risk Policy, at (202) 452-3759. In addition, questions may be sent via the Boardís public website.1

signed by
Patrick M. Parkinson
Director
Division of Banking
Supervision and Regulation


Cross References:
  • SR 05-19, "Interagency Guidance on Authentication in an Internet Banking Environment"
Last update: August 19, 2011