FRB: Supervisory Letter SR 05-19 on interagency guidance on Authentication in an Internet Banking Environment -- October 13, 2005

BOARD OF GOVERNORS

OF THE

FEDERAL RESERVE SYSTEM

WASHINGTON, D. C. 20551

DIVISION OF BANKING
SUPERVISION AND REGULATION

SR 05-19
October 13, 2005

TO THE OFFICER IN CHARGE OF SUPERVISION AND APPROPRIATE SUPERVISORY AND EXAMINATION STAFF AT EACH FEDERAL RESERVE BANK, AND TO BANKING ORGANIZATIONS SUPERVISED BY THE FEDERAL RESERVE

SUBJECT: Interagency Guidance on Authentication in an Internet Banking Environment

The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance titled Authentication in an Internet Banking Environment. This guidance updates and replaces the FFIEC's Authentication in an Electronic Banking Environment issued in 2001 and specifically addresses the need for risk-based assessments, customer awareness, and security measures to reliably authenticate customers accessing financial institutions' Internet-based services. The guidance also emphasizes that the agencies consider single-factor authentication, if it is the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.

This guidance applies to both retail and commercial customers and does not endorse any particular technology. Financial institutions should use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a technology service provider. Although this guidance is focused on the risks and risk management techniques associated with the Internet delivery channel, the principles are applicable to all forms of electronic banking activities.

Consistent with the FFIEC's Information Security Booklet (December 2002), which is incorporated in the Information Technology Examination Handbook, financial institutions should periodically:

Ensure that their information security programs:
- Identify and assess the risks associated with the full range of Internet-based products and services,
- Identify risk mitigation actions, including appropriate measures to verify and authenticate customers, and
- Measure and evaluate customer awareness efforts;
Establish, evaluate, and adjust, as appropriate, their information security programs in light of any relevant changes in technology, the sensitivity of their customer information, and internal or external threats to information; and
Implement appropriate risk mitigation strategies.

Examiners should begin to assess financial institutions' progress in meeting the expectations outlined in the guidance and thereafter monitor ongoing conformance as needed during the risk-focused examination process. Financial institutions will be expected to have achieved conformance with the guidance by year-end 2006. Examiners should document situations where financial institutions have not achieved conformance with the guidance by that time.

Federal Reserve Banks are asked to distribute this letter and the interagency guidance to banking organizations supervised by the Federal Reserve, as well as to their supervisory and examination staff. If you have any questions concerning this guidance, please contact Stacy Coleman, Assistant Director, Operational and IT Risk Section, at (202) 452-2934 or Elton Hill, Senior Supervisory Financial Analyst, at (202) 452-2514.

Richard Spillenkothen
Director

Attachment:: Authentication in an Internet Banking Environment (1,073 KB PDF)
Federal Financial Institutions Examination Council (FFIEC)
Supersedes:: FFIEC Guidance on Authentication (SR 01-20 (SUP))

SR letters | 2005

Home | Banking information and regulation
Accessibility | Contact Us
Last update: February 21, 2006