The Federal Financial Institutions Examination Council
(FFIEC), noting that security threats continue to mount, has supplemented its 2005
guidance on authenticating the identity of customers who access their
financial accounts online. The supplement addresses minimum authentication
requirements, specific authentication techniques, and recommended review
timelines, customer education, and internal policies and procedures.
The FFIEC continues to endorse multilayer and multifactor
authentication methods for ensuring that the person accessing accounts online
is the customer. However, the supplement, issued June 28, 2011, further
recommends a review of authentication methods at least every 12 months and in conjunction
with the introduction of new online functionality. The review should include a
careful review of limitations on transaction volumes and dollar amounts the
financial institution imposes on online transactions.
The FFIEC reiterates that online business transactions
are at particular risk, recommending that the customer authentication program
should consist not only of multiple layers in these cases but also multiple
A "layered security program," as defined by FFIEC, uses
"different controls at different points in a transaction process so that a
weakness in one control is generally compensated for by the strength of a
different control." At minimum, the program should include two elements:
The FFIEC supplement sizes up authentication techniques
currently in use and provides some commentary:
The FFIEC recommends that financial institutions have
policies and practices for addressing potentially compromised customer devices
and customers who may be facilitating fraud. Further, it sees consumer
education programs as critical and recommends including, at minimum, the
Ballard Spahr's Consumer Financial Services Group is
nationally recognized for its guidance in structuring and documenting new
consumer financial services products, its experience with advising customers on
financial privacy and data security issues, and its skill in litigation defense
and avoidance (including pioneering work in pre-dispute arbitration programs).
For more information, please contact group Chair Alan S. Kaplinsky,
215.864.8544 or email@example.com;
Vice Chair Jeremy T. Rosenblum, 215.864.8505 or firstname.lastname@example.org; John
L. Culhane, Jr., 215.864.8535 or email@example.com;
Mercedes K. Tunstall, 202.661.2221 or firstname.lastname@example.org; or
Mark J. Furletti, 215.864.8138 or email@example.com.
Copyright © 2011 by Ballard Spahr LLP.www.ballardspahr.com
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any form or by any
means, including electronic, mechanical, photocopying, recording, or otherwise,
without prior written permission of the author and publisher.
This alert is a periodic
publication of Ballard Spahr LLP and is intended to notify recipients of new
developments in the law. It should not be construed as legal advice or legal
opinion on any specific facts or circumstances. The contents are intended for
general informational purposes only, and you are urged to consult your own
attorney concerning your situation and specific legal questions you have.