Financial Institution Letter
FIL-103-2005
October 12, 2005
FFIEC GUIDANCE
Authentication in an Internet Banking Environment
Federal Deposit Insurance Corporation
550 17th Street NW, Washington, D.C. 20429-9990
Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the
attached guidance, “Authentication in an Internet Banking Environment.” For banks offering
Internet-based financial services, the guidance describes enhanced authentication methods that
regulators expect banks to use when authenticating the identity of customers using the on-line
products and services. Examiners will review this area to determine a financial institution’s
progress in complying with this guidance during upcoming examinations. Financial Institutions
will be expected to achieve compliance with the guidance no later than year-end 2006.
Distribution:
FDIC-Supervised Banks (Commercial and Savings)
Suggested Routing:
Chief Executive Officer
Chief Information Security Officer
Related Topics:
• FIL-66-2005, Guidance on Mitigating Risks From
Spyware, issued July 22, 2005
• FIL-64-2005, Guidance on How Financial Institutions
Can Protect Against Pharming Attacks, issued July 18,
2005
• FIL-27-2004, Guidance on Safeguarding Customers
Against E-Mail and Internet Related Fraud, issued March
12, 2004
• FFIEC Information Security Handbook, issued
November 2003
• Interagency Informational Brochure on Phishing
Scams, contained in FIL-113-2004, issued September
13, 2004
• Putting an End to Account- Hijacking Identity Theft,
FDIC Study, issued December 14, 2004
• FDIC Identity Theft Study Supplement on Account-
Highjacking Identity Theft, issued June 17, 2005
Attachment:
FFIEC Guidance: Authentication in an Internet Banking
Environment
Contact:
Senior Policy Analyst Jeffrey Kopchik at
JKopchik@fdic.gov or (202) 898-3872, or Senior
Technology Specialist Robert D. Lee at
RoLee@fdic.gov or (202) 898-3688
Note:
FDIC financial institution letters (FILs) may be accessed
from the FDIC's Web site at
www.fdic.gov/news/news/financial/2005/index.html.
To receive FILs electronically, please visit
http://www.fdic.gov/about/subscriptions/fil.html.
Paper copies of FDIC financial institution letters may be
obtained through the FDIC's Public Information Center,
801 17th Street, NW, Room 100, Washington, DC 20434
(1-877-275-3342 or 202-416-6940).
Highlights:
• Financial institutions offering Internet-based
products and services should use effective
methods to authenticate the identity of
customers using those products and
services.
• Single-factor authentication methodologies
may not provide sufficient protection for
Internet-based financial services.
• The FFIEC agencies consider single-factor
authentication, when used as the only control
mechanism, to be inadequate for high-risk
transactions involving access to customer
information or the movement of funds to
other parties.
• Risk assessments should provide the basis
for determining an effective authentication
strategy according to the risks associated
with the various products and services
available to on-line customers.
• Customer awareness and education should
continue to be emphasized because they are
effective deterrents to the on-line theft of
assets and sensitive information.
FIL-103-2005
October 12, 2005
FFIEC GUIDANCE
Authentication in an Internet Banking Environment
Federal Deposit Insurance Corporation
550 17th Street NW, Washington, D.C. 20429-9990
Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the
attached guidance, “Authentication in an Internet Banking Environment.” For banks offering
Internet-based financial services, the guidance describes enhanced authentication methods that
regulators expect banks to use when authenticating the identity of customers using the on-line
products and services. Examiners will review this area to determine a financial institution’s
progress in complying with this guidance during upcoming examinations. Financial Institutions
will be expected to achieve compliance with the guidance no later than year-end 2006.
Distribution:
FDIC-Supervised Banks (Commercial and Savings)
Suggested Routing:
Chief Executive Officer
Chief Information Security Officer
Related Topics:
• FIL-66-2005, Guidance on Mitigating Risks From
Spyware, issued July 22, 2005
• FIL-64-2005, Guidance on How Financial Institutions
Can Protect Against Pharming Attacks, issued July 18,
2005
• FIL-27-2004, Guidance on Safeguarding Customers
Against E-Mail and Internet Related Fraud, issued March
12, 2004
• FFIEC Information Security Handbook, issued
November 2003
• Interagency Informational Brochure on Phishing
Scams, contained in FIL-113-2004, issued September
13, 2004
• Putting an End to Account- Hijacking Identity Theft,
FDIC Study, issued December 14, 2004
• FDIC Identity Theft Study Supplement on Account-
Highjacking Identity Theft, issued June 17, 2005
Attachment:
FFIEC Guidance: Authentication in an Internet Banking
Environment
Contact:
Senior Policy Analyst Jeffrey Kopchik at
JKopchik@fdic.gov or (202) 898-3872, or Senior
Technology Specialist Robert D. Lee at
RoLee@fdic.gov or (202) 898-3688
Note:
FDIC financial institution letters (FILs) may be accessed
from the FDIC's Web site at
www.fdic.gov/news/news/financial/2005/index.html.
To receive FILs electronically, please visit
http://www.fdic.gov/about/subscriptions/fil.html.
Paper copies of FDIC financial institution letters may be
obtained through the FDIC's Public Information Center,
801 17th Street, NW, Room 100, Washington, DC 20434
(1-877-275-3342 or 202-416-6940).
Highlights:
• Financial institutions offering Internet-based
products and services should use effective
methods to authenticate the identity of
customers using those products and
services.
• Single-factor authentication methodologies
may not provide sufficient protection for
Internet-based financial services.
• The FFIEC agencies consider single-factor
authentication, when used as the only control
mechanism, to be inadequate for high-risk
transactions involving access to customer
information or the movement of funds to
other parties.
• Risk assessments should provide the basis
for determining an effective authentication
strategy according to the risks associated
with the various products and services
available to on-line customers.
• Customer awareness and education should
continue to be emphasized because they are
effective deterrents to the on-line theft of
assets and sensitive information.
1