Federal Financial Institutions Examination Council (FFIEC), Supplement to Authentication in an Internet Banking Environment (June 28, 2011) (full-text).
The purpose of this Supplement to the FFIEC's 2005 guidance entitled Authentication in an Internet Banking Environment ("2005 Guidance") is to reinforce the 2005 Guidance's risk management framework and update the FFIEC agencies' expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment.
The Supplement reiterates and reinforces the expectations described in the 2005 Guidance that financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks.
It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution's customer awareness and education program.