Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006.

Slides:

Advertisements

Similar presentations

FFIEC Agency Supplement to Authentication in an Internet Banking Environment

Advertisements

Yukiko Ko Binding Corporate Rules – Global Implications Conference on Cross Border Data Flows and Privacy October 16, 2007.

The Mobile Channel, TCPA and Privacy NCHELP New Orleans January 19, 2012 Mercedes Kelley Tunstall Of Counsel ballardspahr.com Jerod.

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.

The New Anti-Money Laundering Regulations

E-Commerce and the Law Section Understanding Business and Personal Law E-Commerce and the Law Section 13.3 Contracts for the Sale of Goods Electronic.

Challenges of Identity Fraud Chris Voice, VP Technology.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Red Flags Rule & Municipal Utilities

1 The FACT Act – An Overview The FACT Act An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies Naomi Lefkovitz Attorney,

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

Information Security Policies Larry Conrad September 29, 2009.

1 BCAC and Connecticut Bankers Association April 1, Flood Insurance Updates - Presented by: Samuel W. Shaw, Review Examiner Robert Ellis, Senior.

CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007.

Vendor Management Frequent regulatory findings:

Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Last update: 2010 Bringing Smart Policies to Life The basics: AML/CFT for financial inclusion.

Framework for Assessing Risk Managing ACH Risk Coming & Going

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Private, Secure, Guaranteed ACH Credits – The Next Generation of Online Payments Samantha Carrier, Director, eCommerce, NACHA.

Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.

Understanding Enterprise Privacy Compliance Processes for the Financial Services Industry Harvard Privacy Symposium August 20, :00 – 3:45 p.m. Susan.

Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.

Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Track II: Introduction and Overview of Financial Services and Information Technology Privacy Policy: Synthesizing Financial Services Industry Privacy David.

Electronic Banking Risk Assessment - Product Training

Introducing PIB A Personal Internet Branch for Credit Union Members Brought to you by Home Banking Revised: October 10, 2006.

Operations in Financial Services Fall 2003 Eugenia Chiang Shirley Chen.

FFIEC Customer Authentication Guidance: Authentication in an Internet Banking Environment.

September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)

AUTHENTICATION IN AN INTERNET ENVIRONMENT Dominick E. Nigro NCUA Information Systems Officer.

NYSAIS | Webinar | May 11, 2011 Electronic Signatures and Red Flag Rules Presented by: Donald J. Mosher Partner Schulte Roth & Zabel LLP

Looking beyond the obvious!! HOW SECURE IS BANKS’ CORE DATA? Prashant Pande Head Professional Services IDBI Intech Ltd.

Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,

PNC Financial Services Group Covering Analyst: Matthew Miller

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved Chapter Four Establishing New Banks, Branches, ATMs, Telephone Services, and Web.

New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.

Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.

Forward-Looking Bank Supervision 2010 Kansas City Region Regulatory Conference Call August 24, 2010.

Enterprise AML Program Assessment

FDIC 2010 Overdraft Payment Program Guidance Overview & Frequently-Asked Questions March 29, 2011  Director Mark Pearce, Division of Depositor and Consumer.

1 A Presentation for Members of the Bank Compliance Association of Connecticut (BCAC) June 12, 2008 Rebecca Williams FDIC Case Manager (Special Activities)

© 2009 EPCOR. All Rights Reserved The Risks and Rewards of Remote Deposit Services 2009 Treasury Management Conference September 10, 2009 Omaha, Nebraska.

FDA Public Meeting on Electronic Records and Signatures June 11, 2004 Presentation of the Industry Coalition on 21CFR Part 11 Alan Goldhammer, PhD Chair.

Risk Identification in Practice Solange Berstein Chair IOPS Technical Committee Superintendent Pension Supervisor Chile.

FDIC Overview of Temporary Unlimited Insurance Coverage Rules under Section 343 of the Dodd-Frank Wall Street Reform and Consumer Protection Act December.

ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING

Next Steps toward More Trustworthy Interfaces, continued Burt Kaliski, RSA Security 2 nd TIPPI Workshop June 19, 2006 Also includes presentations from.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

The Digital Agenda for Payment Services

Office of the SuperintendentBureau du surintendant of Financial Institutions Canadades institutions financières Canada A Regulator’s Perspective on ERM.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

Identity Theft Red Flags and Address Discrepancies Joint Notice of Proposed Rulemaking October 12, 2006 AIIM of Wisconsin.

Wire Fraud Prevention Training: Setting Your Organizational Structure to Mitigate Fraud Risk and Comply with Regulatory Expectations Presented by: Terri.

2 PSD2- C HALLENGES AND OPPORTUNITIES Pascale-Marie BRIEN– Senior Policy Adviser.

Vendor Management by Banks: How Law Firms Are Affected Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of.

Mastercard Identity Check Mobile

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

E-BANKING RISK MANAGEMENT

Federal Reserve Retail Payments Risk Forum

John Carlson Senior Director, BITS

Identity Theft Prevention Program Training

Getting the Green Light on the Red Flags Rule

Jeremy Grant Coordinator Better Identity Coalition

Presentation transcript:

Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006

Technology Supervision Branch Agenda Background on new guidance Summary Key Points What does this mean to the financial services industry FAQs

Technology Supervision Branch Background FFIEC guidance entitled: “Authentication in an Internet Banking Environment” Updates & replaces 2001 guidance Published October 12, 2005; compliance expected by year-end 2006 Issued by FFIEC Agencies intended to be proactive, not reactive FDIC FIL

Technology Supervision Branch Background Work on this project began over 1 year ago: –FDIC ID Theft Study (12/04) –FFIEC Symposium on authentication (3/05) –FDIC ID Theft Study Supplement (6/05) –FDIC ID theft symposiums Time was right for guidance: –Customer concerns are negatively affecting growth of online banking and commerce –Technologies are maturing, becoming more effective, easier to use and more affordable

Technology Supervision Branch Summary Regulators expect financial institutions to use stronger methods to authenticate the identity of customers using Internet-based products and services Regulators expect FIs to perform a risk assessment to determine effective authentication strategies according to the risks associated with the products and services they offer online

Technology Supervision Branch Key Points Agencies consider single-factor authentication (i.e., password), as the only control mechanism, to be inadequate for high-risk transactions High-risk transactions involve movement of funds to other parties (even within FI) or access to customer information

Technology Supervision Branch The Key Point! Where single-factor authentication is inadequate, FIs should implement multifactor authentication, layered security, or other comparable controls reasonably calculated to mitigate the risks

Technology Supervision Branch What Does This Mean to the Industry Regulators expect financial institutions to “step it up a notch” in terms of online security FIs have an obligation to secure a delivery channel they built and have made available to consumers Time-frame for compliance is aggressive, but reasonable Examiners will review compliance efforts on a case-by-case basis

Technology Supervision Branch What Does This Mean to the Industry Guidance is flexible; does not mandate a specific technology solution Regulators expect new technologies to continue to be introduced Special considerations for FIs affected by recent hurricanes

Technology Supervision Branch Frequently Asked Questions Is there an “approved” list of solutions? Is the Appendix an exclusive list of solutions? Is it acceptable for an FI to just complete its risk assessment by year-end 2006? Do the regulators expect FIs to run out and buy hardware tokens for all their customers? Is there a template for the risk assessment? Are agencies considering additional guidance in this area?

Technology Supervision Branch Frequently Asked Questions Can FI do a risk assessment & decide that stronger authentication is unnecessary even though the system permits high-risk transactions? Can FI rely on its service provider’s risk assessment? Can FI permit customers to opt-out of the stronger authentication? Does the guidance cover telephone banking?

Technology Supervision Branch Thank You Jeffrey M. Kopchik –Senior Policy Analyst –Division of Supervision and Consumer Protection, Technology Supervision Branch –Washington, DC