Supervision and Regulation Letters
Interagency Supplement to Authentication in an Internet Banking Environment
SUPERVISION AND REGULATION
|SUBJECT:||Interagency Supplement to Authentication in an Internet Banking Environment|
In brief, the Supplement is intended to enhance supervised organizationsí Internet banking control environments. Accordingly, the supplement clarifies and increases supervisory expectations in the areas of online activity risk assessments, customer authentication, layered security controls, and customer awareness and education programs. Most importantly, the Supplement outlines an expectation that organizations implement layered security relative to "high-risk" transactions, including the capability to identify and respond to suspicious or anomalous authentication and transaction requests.
The Supplement and the 2005 guidance address banking organizationsí online banking activities relative to both consumer and commercial customers, do not prescribe nor endorse any particular technology, discourage over reliance on any single control mechanism, and are applicable whether the organization offers such services through an in-house platform, using purchased or self-developed applications, or through a technology service provider. Further, the expectations contained in these releases represent risk-management guidance intended to improve the baseline security posture of institutions with routine online banking activities. The individual expectations in the guidance are not explicit mandates; institutions with low or limited risk in their online activities may demonstrate satisfactory risk management through the deployment of other compensating controls.
Federal Reserve examiners should assess state-member banks and bank holding companies under the enhanced expectations outlined in the Supplement beginning in 2012 within the risk-focused supervision process. Until that time, examiners should begin to assess these organizationsí plans and progress in meeting the enhanced expectations.
The agencies plan to conduct interagency examiner training relative to this Supplement in the near term. Federal Reserve Banks are asked to distribute this letter and the Supplement to banking organizations supervised by the Federal Reserve, as well as to their examination staff. Any questions regarding this supplement or the original FFIEC guidance should be directed to Adrienne Haden, Assistant Director, Operational and IT Risk Policy, at (202) 452-2058, or Brad Beytien, Manager, Operational and IT Risk Policy, at (202) 452-3759. In addition, questions may be sent via the Boardís public website.1
Patrick M. Parkinson
Division of Banking
Supervision and Regulation