|
 |
 |
 |
 |
|
In October 2005, the FFIEC agencies (agencies) issued guidance entitled Authentication in an Internet Banking Environment (guidance) . The guidance focuses on the risks of fraud and identity theft associated with Internet banking activities. The guidance states that financial institutions should perform a risk assessment, identify and strengthen control weaknesses, measure and evaluate customer awareness efforts, and implement any necessary corrective actions. National banks are expected to have achieved conformance with the guidance by year-end 2006. It is anticipated that there will be increased activity by fraudsters to send false communications with the intent of obtaining customer information for the purposes of fraud and identity theft. These communications may attempt to exploit the December 31, 2006, conformance date. For example, communications purporting to be from a national bank could inform customers that, due to the FFIEC guidance, the bank is required to change its security procedures and, as a result, request customers to re-register or provide personal information that would enable the bank to comply with the regulatory requirement.
The Office of Thrift Supervision (OTS), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency have issued the attached FAQs to assist you and your technology service providers to conform with the Federal Financial Institutions Examination Council's (FFIEC's) guidance entitled Authentication in an Internet Banking Environment (the guidance) issued on October 12, 2005.
Purpose The staffs of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (the Agencies) have jointly developed the attached frequently asked questions (FAQs) to assist financial institutions and their technology service providers in understanding the Federal Financial Institutions Examination Council's (FFIEC's) guidance entitled Authentication in an Internet Banking Environment (the guidance). Overview The guidance, issued on October 12, 2005, updates the FFIEC's guidance entitled Authentication in an Electronic Banking Environment issued in 2001. It addresses the need for risk based assessments, customer awareness, and enhanced security measures to authenticate customers using Internet-based products and services that process high risk transactions involving access to customer information or the movement of funds to other parties. The attached FAQs are a representation of questions the Agencies have received from financial institutions, Agency examiners, and technology service providers and they address the scope of the guidance, risk assessments, the time frame for implementation, and other issues.
Federally Insured Credit Unions are increasingly offering a variety of Internet banking services ranging from simple inquiry to complex e-Commerce activities for their members. In parallel, the number of members using transactional sites grew significantly. As e-Commerce services increase in volume and complexity, criminals are using more sophisticated methods for account fraud and identity theft. You should become more diligent to safeguard member information, to prevent money laundering and terrorist financing, to reduce fraud, and to inhibit identity theft. One of the effective security measures to mitigate these risks is to implement an effective and reliable authentication system. Authentication is the process of verifying a member’s identity using a variety of methodologies and technologies before the member gains access to the system. It is a way to ensure members are who they say they are. A single-factor authentication such as user name and password used as a security control mechanism may not be adequate for high-risk transactions involving access to member information or fund transfers.
The purpose of this bulletin is to provide banks with guidance on how to respond to incidents of Web-site spoofing. The bulletin addresses procedures banks can implement to mitigate the risks to themselves and their customers by detecting and responding to Web-site spoofing. It also identifies the types of information banks can provide to law enforcement authorities to assist in investigating illegal activities. This bulletin expands on OCC Alert 2003-11, “Customer Identity Theft: E-mail-Related Fraud Threats,” September 12, 2003.
The Federal Deposit Insurance Corporation (FDIC) today released an on-line multimedia education tool that consumers can use to learn how to better protect their computers and themselves from identity thieves. The presentation also features actions consumers can take if their personal information has been compromised. Identity theft continues to be one of the fastest growing crimes in the United States, and has ranked as one of the top consumer concerns for the past several years. Identity theft is evolving in more complicated ways that make it harder for consumers to protect themselves, and easier for criminals to set up virtual storefronts on the Internet to sell confidential personal information.
Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, "Authentication in an Internet Banking Environment." For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution's progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.
|
||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication