FFIEC Guidance

In 2005 the FFIEC issued the document 'Authentication in an Internet Banking Environment', which recommended the use of multi-factor authentication when conducting banking transactions over the Internet. You may download the 2005 document by clicking here.

On June 28, 2011, the FFIEC issued a supplement to its original guidance.  The purpose of the Supplemental Guidance is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.  The FFIEC notes that the continued growth of electronic banking and greater sophistication of the associated threats have increased risks for financial institutions and their customers. 

The Supplemental Guidance reiterates that effective security is essential for financial institutions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer information, and promote the legal enforceability of financial institutions' electronic agreements and transactions.  It further stresses the need for performing risk assessments, implementing effective strategies for mitigating identified risks, and raising customer awareness of potential risks, but does not endorse any specific technology for doing so. 

The FFIEC notes that its member agencies will continue to work closely with financial institutions to promote security in electronic banking and that examiners are requested to formally assess financial institutions under enhanced expectations outlined in the supplement beginning in January 2012. 

The Supplemental Guidance can be found by clicking here.

Click here to download NACHA's June 2012 document - Sound Business Practices for Implementing Provisions of the Supplement