Security

FFIEC releases its FAQ finally, but still unclear

Now that its here, this document is less than clear about two factor authentication.

ffiec_frequently-asked-questions.pdf
Finextra: analysis – Online banking security FAQs

The Federal Financial Institutions Examination Council (FFIEC) has released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services.

The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues.

In fact this statement is quite different than expected (my emphasis)

A-11- Single-factor authentication alone would be adequate for electronic banking applications that do not process high-risk transactions, e.g., systems that do not allow funds to be transferred to other parties or that do not permit access to customer information.

But then it goes on to say inaction is not adequate:

Q-1- May an institution permit customers to “opt-out” of additional authentication ontrols?A-1- No, the Agencies believe that permitting customers to opt-out is not an effective risk mitigation strategy and would undermine the effectiveness of the control. In addition, this would not address reputation risk to the institution. However, an institution may permit customers to choose between different authentication options provided the options offered are consistent with the guidance.

Relevance to Bankwatch:
The FFIEC have left it to Banks to assess the risks associated with their onlne banking activities, and determine their authentication model appropriately. While their is no required documentation, inaction is not acceptable.

Technorati Tags: ,