Add to collection(s) Add to saved
  1. Business

Financial Institutions FFIEC Issues New Guidance on Authentication in Online Transactions

NOVEMBER 2005
Financial Institutions
FFIEC Issues New Guidance on Authentication
in Online Transactions
SUMMARY
On October 12, 2005, the Federal Financial
Institutions Examination Council (“FFIEC”)1 issued
guidance entitled Authentication in an Electronic
Banking Environment regarding authentication of
customers in online financial transactions. This guidance updates guidance issued in 2001 and states three
essential points:
■
■
■
Single-factor authentication, as the only control
mechanism, is considered inadequate for highrisk transactions involving access to customer
information or the movement of funds to other
parties;
The authentication techniques employed by the
financial institution should be appropriate to the
risks associated with the involved products and
services; and
Where risk assessments indicate that the use of
single-factor authentication is inadequate, financial institutions should implement multi-factor
authentication, layered security, or other controls
reasonably calculated to mitigate those risks.
The new guidance requires compliance by December
31, 20062. Many financial institutions offer their customers the ability to perform online transactions
using only single-factor authentication. Thus, banks
and other affected financial institutions face a delicate balancing act—strengthening their authentication processes while maintaining the user-friendliness
of their online facilities and containing costs.
The FFIEC identifies three factors as driving the need
for new guidance: legal and technological changes
regarding the protection of customer information;
increasing incidents of fraud, including identity theft;
and improved authentication technologies.
While FFIEC guidance is neither law nor regulation,
it determines the standards by which certain financial
institutions are examined by regulators. Institutions
that are found not to comply with FFIEC standards
can be sanctioned by their regulators.
The new FFIEC guidance builds on a study issued by
the Federal Deposit Insurance Corporation in
December 2004 entitled “Putting an End to AccountHijacking Identity Theft,” and supplemented by a
February 2005 addendum.
WHAT IS AUTHENTICATION?
In general, “authentication” refers to any process,
either online or offline, by which one party determines whether the other party is who the other party
claims to be. A common example is the use of a user
ID and password that are known only to the customer
and the financial institution. There are three basic
categories or factors of authentication:
■
Something a person knows (e.g., a secret password, PIN, or other private information);
■
Something a person has (e.g., an ATM card,
facility access card or USB plug-in token); or
■
Something a person is (e.g., fingerprints, retinal
scans and other biometric data).
1
The FFIEC is composed of the Board of Governors of the Federal Reserve BoardSystem, the Federal Deposit Insurance Corporation,
the Office of the Comptroller of the Currency , the Office of Thrift Supervision, and the National Credit Union Administration. The
FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms and to promote uniformity in the
supervision of financial institutions.
2
See FDIC FIL-103-2005 and OCC Bulletin 2005-35, both also dated October 12, 2005.
Kirkpatrick & Lockhart Nicholson Graham
LLP
An authentication process that requires the entry of
only a user ID and password is commonly referred to
as “single-factor” authentication because both of its
elements are things that the person knows. ATM
transactions commonly require two-factor authentication because they require the use of an ATM card
(something the person has) and a PIN (something a
person knows).
While the terms “single-factor” and “two-factor” (as
well as “double-factor” and “multi-factor”) are generally used as just mentioned, “multi-factor authentication” is also sometimes used to refer to authentication
based solely on layers of a single category (such as
what a person knows), if the different layers are
implemented in different ways. Examples are:
■
Reverse Authentication is a process by which the
person being authenticated also authenticates the
identity of the financial institution. For instance,
a customer might select an image when he or she
signs up for online services, and then during a
sign-in process that image is displayed to the
customer to provide assurance that the website
really is the financial institution’s site, rather
than a spoofed, fraudulent site. The customer in
effect supplies two things that the customer
knows: the customer’s ID and the customer’s
recognition of the image.
OTHER CONTROLS
The new FFIEC guidance is not focused exclusively
on authentication. It explicitly refers to “other controls reasonably calculated to mitigate” the new risks
associated with online transactions. An example of
another control is an automated process by which
information is encoded as it is entered. At least one
major online bank has introduced a process whereby
the customer is presented with numbers on a virtual
keypad that also features letters. The customer must
use a mouse to click on the numbers of the customer’s PIN, which generates a letter code that is
communicated to the server. The precise letters associated with each number change constantly and are
synchronized with the server, the result being that
although the customer enters the same information
each time (i.e., his or her PIN), the actual data passing between the customer’s computer and the bank’s
server is a constantly changing passcode. While the
information being entered is authentication information, the essential effect of this process is to reduce
the likelihood that the customer’s PIN will be captured in transmission.
APPROACH
The FFIEC expects each financial institution to
approach compliance with the new guidance in three
stages:
■
Out-of-Band Authentication is authentication by
a separate communication channel, other than
the one on which a transaction is initiated. An
example of out-of-band authentication is an
automated telephone call to a customer being
generated during an online authentication
process.
■
Identify and assess the risks associated with its
Internet-based products and services. Risks
should be evaluated in light of the type of customer, the customer’s transactional capabilities,
the sensitivity of customer information, the ease
of using the communication method and the volume of transactions.
■
Challenge and response regarding the customer’s identifying information. Examples are
queries regarding last 4 digits of the customer’s
social security number or date of birth.
■
■
Challenge and response regarding information
supplied by the customer. Examples are queries
regarding pet’s name, name of high school or
color of first car.
Assess the adequacy of authentication techniques and adjust its information security program in light of any relevant changes in technology, the sensitivity of its customer information,
new or changing risks and the evolving sophistication of compromise techniques, and other
internal or external threats to information.
■
Implement appropriate risk mitigation strategies.
These processes actually do not employ separate
authentication factors, but they can serve the same
purpose as multi-factor authentication. In this regard
the exact terminology is less important than whether
the total process produces a clear differential in the
strength of the authentication versus basic, singlefactor authentication.
2 NOVEMBER 2005
POSSIBLE RISK MITIGATION STRATEGIES
The following are three general strategies that financial institutions can use to meet the FFIEC’s new
standards for online authentication:
■
Uniform procedures that require multi-factor
authentication for all online customers, regardless of the type of transaction the user accesses
the website to perform.
KIRKPATRICK & LOCKHART NICHOLSON GRAHAM LLP
■
“Zone” based authentication. Under this
approach, accessing informational features or
account balances requires minimal authentication, accessing customer profile information or
paying bills require a higher level of authentication, and fund transfers to third parties or
account liquidation require the highest level of
authentication.
■
Per-transaction risk assessment. This approach
uses sophisticated software to assess the risk
index associated with each individual transaction
in real time and assign a degree of authentication
based on a risk score.
Each of these strategies has its relative costs and benefits. Uniform procedures could result in an
increased burden on customers who use online services only or principally for low-risk transactions such
as checking account balances or interest rates. Zone
based authentication may provide an easier sign-on
process for customers seeking only information, but
may require costly partitioning and re-programming
of online services. Per-transaction risk assessments
are likely to produce the most user-friendly customer
experience, but require the use of expensive software
and may result in banks’ dependence on particular
software vendors.
POSSIBLE OUTCOMES
Anecdotal evidence suggests that U.S. banks may
resist implementing authentication processes that are,
strictly speaking, two-factor authentication because
of the relatively higher costs associated with tokens
and biometrics. Instead, banks may rely more heavily on multiple layers of a single type of authentication—what the customer knows. Reverse authentication and out-of-band authentication may increase in
popularity because they also rely on what the customer knows and thus do not require additional hardware.
Per-transaction risk assessment software may ultimately be adopted on a widespread basis because it
offers the greatest flexibility and promises to reduce
the burden on the customer to the greatest degree
possible. It is also significantly less expensive than
distributing tokens to an entire customer base, capturing biometric data for an entire customer base,
deploying all the associated new hardware, and
administering both systems. Biometrics may also not
be widely adopted because of a concern that customers may perceive such measures as onerous or
invasive and gravitate to other financial institutions
that do not require such procedures.
3 NOVEMBER 2005
Finally, it seems likely that, as multi-factor authentication becomes more prevalent in the financial services industry under regulatory compulsion, these
processes will become more widespread in other
industries and in the lives of Americans generally.
While initially required only of entities regulated by
FFIEC member agencies, these procedures seem likely eventually to be expected of other types of financial institutions (for instance, broker-dealers or insurers).
IMPLEMENTING THE LEGAL ASPECTS
When financial institutions implement multi-factor
authentication, attention should be paid to legal considerations such as the following:
Acquiring New Technologies. When new authentication technologies are acquired, the related purchase or
licensing agreements provide an opportunity for institutions to consider and allocate some of the new
types of risks associated with those technologies. For
example, biometric technologies, which require the
capture and storage of new identifying data, may justify special terms regarding warranties, security controls and allocation of liability in the event of service
failures.
Customer Service Agreements. Existing customer
service agreements may require amendment in order
to obtain the consent of customers to the new authentication methods. In addition, terms addressing limitations of liability should be examined in order to
confirm that those terms work effectively with the
potential liabilities presented by the new authentication technologies.
Privacy Policies. Various authentication technologies can involve the capture of additional personal
information or different uses of personal information
that has already been captured and stored by a financial institution. Existing privacy policies may require
revision to accommodate these practices; of course,
these revisions may be accomplished in many
instances concurrently with related customer service
agreement revisions.
Variable Risks. Many institutions adopt a uniform
view of electronic transactions, implementing similar
procedures and authentication controls for transactions with widely varying economic value and risks.
As part of the required risk assessments, financial
institutions may conclude that different website terms
and conditions are appropriate based on the nature of
the transactions with which the new authentication
methods will be employed.
KIRKPATRICK & LOCKHART NICHOLSON GRAHAM LLP
Customer Education. Each new wave of change in
electronic commercial practices causes effective customer education to become a priority. Legal counsel
should work closely with marketing and service
departments to help assure that new authentication
methods are clearly and accurately described and that
related product materials are not misleading or confusing.
Benjamin S. Hayes
bhayes@klng.com
202.778.9884
Henry L. Judy
hjudy@klng.com
202.778.9396
Jeffrey B. Ritter
jritter@klng.com
202.778.9396
If you have questions regarding compliance with the new FFIEC guidance, please don’t hesitate to contact any of the
attorneys listed on this Alert for further information.
BOSTON
John C. Hutchins
Stephen Moore
Stanley V. Ragalevsky
617.951.9165
617.951.9191
617.951.9203
jhutchins@klng.com
smoore@klng.com
sragalevsky@klng.com
HARRISBURG
Raymond P. Pepe
717.231.5988
rpepe@klng.com
LOS ANGELES
William P. Wade
310.552.5071
wwade@klng.com
NEW YORK
Elwood F. Collins
Steven H. Epstein
Lorraine Massaro
Thomas C. Russler
212.536.4005
212.536.4830
212.536.4043
212.536.4068
ecollins@klng.com
sepstein@klng.com
lmassaro@klng.com
trussler@klng.com
PITTSBURGH
Steve J. Adelkoff
Kristen Larkin Stewart
412.355.6325
412.355.8975
sadelkoff@klng.com
kstewart@klng.com
SAN FRANCISCO
Jonathan D. Jaffe
Jonathan D. Joseph
415.249.1023
415.249.1012
jjaffe@klng.com
jjoseph@klng.com
WASHINGTON, DC
Henry L. Judy
Jeffrey B. Ritter
Rebecca H. Laird
Ira L. Tannenbaum
Robert A. Wittie
202.778.9032
202.778.9396
202.778.9038
202.778.9350
202.778.9066
hjudy@klng.com
jritter@klng.com
rlaird@klng.com
itannenbaum@klng.com
rwittie@klng.com
www.klng.com
BOSTON
■
DALLAS
■
HARRISBURG
■
LONDON
■
LOS ANGELES
■
MIAMI
■
NEWARK
■
NEW YORK
■
PALO ALTO
■
PITTSBURGH
■
SAN FRANCISCO
■
WASHINGTON
Kirkpatrick & Lockhart Nicholson Graham (K&LNG) has approximately 1,000 lawyers and represents entrepreneurs, growth and middle market
companies, capital markets participants, and leading FORTUNE 100 and FTSE 100 global corporations nationally and internationally.
K&LNG is a combination of two limited liability partnerships, each named Kirkpatrick & Lockhart Nicholson Graham LLP, one qualified in Delaware,
U.S.A. and practicing from offices in Boston, Dallas, Harrisburg, Los Angeles, Miami, Newark, New York, Palo Alto, Pittsburgh, San Francisco and
Washington and one incorporated in England practicing from the London office.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied
upon in regard to any particular facts or circumstances without first consulting a lawyer.
Data Protection Act 1988—We may contact you from time to time with information on Kirkpatrick & Lockhart Nicholson Graham LLP seminars and with
our regular newsletters, which may be of interest to you. We will not provide your details to any third parties. Please e-mail cgregory@klng.com if you
would prefer not to receive this information.
© 2005 KIRKPATRICK & LOCKHART NICHOLSON GRAHAM LLP. ALL RIGHTS RESERVED.
Related documents
What You Need To Know About Intellectual Property Rights Benefits Advisory Network (BAN)
What You Need To Know About Intellectual Property Rights Benefits Advisory Network (BAN)
CS 2813 - Loyola College
CS 2813 - Loyola College
Name:______key______________________________ Level Security
Name:______key______________________________ Level Security
CCNA Security - Skill Exam 2012
CCNA Security - Skill Exam 2012
Chapter 11 HW
Chapter 11 HW
Download