OCC Bulletin 2005-35| October 12, 2005
Authentication in an Internet Banking Environment: Interagency Guidance
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers, Department and Division Heads, and All Examining Personnel
The guidance attached to this bulletin continues to apply to federal savings associations.
The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, "Authentication in an Internet Banking Environment." This updated interagency guidance, which replaces the FFIEC’s Authentication in an Electronic Banking Environment, issued in 2001, specifically addresses the need for risk-based assessment, customer awareness, and security measures to authenticate customers using a financial institution’s Internet-based services.
This guidance applies to both retail and commercial customers and does not endorse any particular technology. National banks should use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a technology service provider. Although this guidance is focused on the risks and risk management techniques associated with the Internet delivery channel, the principles are applicable to all forms of electronic banking activities.
Consistent with the FFIEC Information Technology Examination Handbook, Information Security Booklet December 2002, financial institutions should periodically:
- Ensure that their information security program:
- Identifies and assesses the risks associated with Internet-based products and services;
- Identifies risk mitigation actions, including appropriate authentication strength; and
- Measures and evaluates customer awareness efforts;
- Adjust, as appropriate, their information security program in light of any relevant changes in technology, the sensitivity of their customer information, and internal or external threats to information; and
- Implement appropriate risk mitigation strategies.
Examiners should begin to assess national banks' progress in meeting the expectations outlined in the guidance and, thereafter, monitor ongoing conformance as needed during the risk-based supervisory process. Banks are expected to have achieved conformance with the guidance by year–end 2006.
For questions concerning the guidance, contact Bank Information Technology at (202) 647-6340.
Mark L. O'Dell
Deputy Comptroller for Operational Risk