SR 11-9:

Interagency Supplement to Authentication in an Internet Banking Environment

BOARD OF GOVERNORS
OF THE FEDERAL RESERVE SYSTEM
WASHINGTON, D.C. 20551

DIVISION OF BANKING
SUPERVISION AND REGULATION

SR 11-9
June 29, 2011

TO THE OFFICER IN CHARGE OF SUPERVISION AND APPROPRIATE SUPERVISORY AND EXAMINATION STAFF AT EACH FEDERAL RESERVE BANK

SUBJECT:

Interagency Supplement to Authentication in an Internet Banking Environment

The Federal Reserve Board, together with the other members of the Federal Financial Institution Examination Council (FFIEC) (collectively, the agencies) have issued the attached guidance titled "Supplement to Authentication in an Internet Banking Environment" (Supplement), which supplements the similarly titled guidance issued by the FFIEC in 2005. Given heightened and evolving cyber threats in the online environment, the supplement reinforces the original risk-management framework guidance and updates the agencies’ expectations for supervised financial organizations regarding customer authentication, layered security, and other controls. Going forward, organizations supervised by the agencies should look to both the 2005 FFIEC authentication guidance and this Supplement to understand the agencies’ risk-management expectations for controls within Internet and other electronic banking environments.

In brief, the Supplement is intended to enhance supervised organizations’ Internet banking control environments. Accordingly, the supplement clarifies and increases supervisory expectations in the areas of online activity risk assessments, customer authentication, layered security controls, and customer awareness and education programs. Most importantly, the Supplement outlines an expectation that organizations implement layered security relative to "high-risk" transactions, including the capability to identify and respond to suspicious or anomalous authentication and transaction requests.

The Supplement and the 2005 guidance address banking organizations’ online banking activities relative to both consumer and commercial customers, do not prescribe nor endorse any particular technology, discourage over reliance on any single control mechanism, and are applicable whether the organization offers such services through an in-house platform, using purchased or self-developed applications, or through a technology service provider. Further, the expectations contained in these releases represent risk-management guidance intended to improve the baseline security posture of institutions with routine online banking activities. The individual expectations in the guidance are not explicit mandates; institutions with low or limited risk in their online activities may demonstrate satisfactory risk management through the deployment of other compensating controls.

Federal Reserve examiners should assess state-member banks and bank holding companies under the enhanced expectations outlined in the Supplement beginning in 2012 within the risk-focused supervision process. Until that time, examiners should begin to assess these organizations’ plans and progress in meeting the enhanced expectations.

The agencies plan to conduct interagency examiner training relative to this Supplement in the near term. Federal Reserve Banks are asked to distribute this letter and the Supplement to banking organizations supervised by the Federal Reserve, as well as to their examination staff. Any questions regarding this supplement or the original FFIEC guidance should be directed to Adrienne Haden, Assistant Director, Operational and IT Risk Policy, at (202) 452-2058, or Brad Beytien, Manager, Operational and IT Risk Policy, at (202) 452-3759. In addition, questions may be sent via the Board’s public website.1

signed by
Patrick M. Parkinson
Director
Division of Banking
Supervision and Regulation

Cross References:
  • SR 05-19, "Interagency Guidance on Authentication in an Internet Banking Environment"
Back to Top
Last Update: August 19, 2011