This guidance applies to both retail and commercial customers and does not
endorse any particular technology. Financial institutions should use this
guidance when evaluating and implementing authentication systems and practices
whether they are provided internally or by a service provider. Although this
guidance is focused on the risks and risk management techniques associated with
the Internet delivery channel, the principles are applicable to all forms of
electronic banking activities.
The agencies consider single-factor authentication, as the only control
mechanism, to be inadequate for high-risk transactions involving access to
customer information or the movement of funds to other parties. Financial
institutions offering Internet-based products and services to their customers
should use effective methods to authenticate the identity of customers using
those products and services.
The authentication techniques employed by the financial institution should be
appropriate to the risks associated with those products and services. Account
fraud and identity theft are frequently the result of single-factor (e.g.,
ID/password) authentication exploitation. Where risk assessments indicate that
the use of single-factor authentication is inadequate, financial institutions
should implement multifactor authentication, layered security, or other controls
reasonably calculated to mitigate those risks.
Financial institutions engaging in any form of Internet banking should have
effective and reliable methods to authenticate customers. An effective
authentication system is necessary for compliance with requirements to safeguard
customer information,3 to prevent money laundering and terrorist financing,4 to
reduce fraud, to inhibit identity theft, and to promote the legal enforceability
of their electronic agreements and transactions. The risks of doing business
with unauthorized or incorrectly identified persons in an Internet banking
environment can result in financial loss and reputation damage through fraud,
disclosure of customer information, corruption of data, or unenforceable
agreements.
There are a variety of technologies and methodologies financial institutions
can use to authenticate customers. These methods include the use of customer
passwords, personal identification numbers (PINs), digital certificates using a
public key infrastructure (PKI), physical devices such as smart cards, one-time
passwords (OTPs), USB plug-ins or other types of “tokens”, transaction
profile scripts, biometric identification, and others. (The appendix to this
guidance contains a more detailed discussion of authentication techniques.) The
level of risk protection afforded by each of these techniques varies. The
selection and use of authentication technologies and methods should depend upon
the results of the financial institution’s risk assessment process.
Source from : 132.200.33.131 Filesize: 163kb 14 Page Click here to directly download this Free Banking ebook.
