The latest issue of the FDIC's Supervisory Insights newsletter contains the article "Online Delivery of Banking Services: Making Consumers Feel Secure" by Richard D. Lee, Senior Technology Specialist at the FDIC. This article reviews key findings of an FDIC study that evaluates a variety of identity authentication technologies. The article also focuses on interagency guidance requiring insured financial institutions and service providers to address the protection of sensitive customer data and assets as part of the development of Internet banking products and services.
As insured financial institutions begin to assess their risks as outlined in the interagency authentication guidance, they should consider each type of transaction consumers can initiate online. The types of transactions may include the following:
- Access to the bank's website for new product offerings or CD rates
- Access to an individual deposit account
- Access to a deposit account and an automatic bill-paying option
- Ability to transfer money from one account to a related account
- Ability to transfer money to a third party
The above transactions are ranked by level of risk (beginning with the lowest level) they represent to the institution and the customer. The first transaction allows access only to general bank information; customer information or bank accounts cannot be accessed. This transaction is considered relatively low risk and would not require strong access controls.
However, the last transaction, which allows an online customer to wire or transfer money to another party, should require more than a password to initiate. In this case the bank should require the customer to supply authentication credentials such as a one-time password token. This layered approach to authentication matches low-risk transactions with less robust solutions and higher-risk transactions with stronger solutions. Risks falling in the middle would be addressed according to the potential for compromise of sensitive data or assets.
Insured financial institutions must comply with the interagency authentication guidance by December 31, 2006. To do so, they should begin performing risk assessments as soon as possible and, based on the results of these assessments, implement stronger authentication strategies by year-end 2006.