The purpose of this letter is to make you aware of guidance recently released by the Federal Financial Institutions Examination Council (“FFIEC”)1 to financial institutions regarding authenticating users in an electronic banking environment. If your credit union offers, or is planning to offer, internet-based electronic financial services to your members, I encourage you to carefully review the enclosed FFIEC guidance paper.
Member interaction with credit unions is migrating from paper-based transactions to remote electronic access and transaction initiation. This migration increases the risk of doing business with unauthorized or incorrectly identified parties that could result in financial loss or reputation damage to the credit union. When properly implemented, authentication can help credit unions reduce fraud and promote legal enforceability of electronic agreements and transactions.
An effective authentication program should be implemented across a credit union’s operations and the level of authentication used in a particular application should be appropriate to the level of risk in that application. In short, the success of a particular authentication program depends not only on technology, but also on effective policies, procedures, and controls. The paper emphasizes the following points:
- The credit union’s authentication process should be consistent and support the credit union’s overall security and risk assessment programs. Further, the implementation of appropriate authentication methodologies starts with an enterprise-wide assessment of the risk posed by the credit union’s electronic banking systems.
- Credit unions need to utilize reliable methods to verify the identity of members during the account origination process, as well as authenticating members before granting them access to online banking systems.
- A sound authentication system should include audit and monitoring features that can assist in detecting fraud, unusual activities, compromised passwords, or other unauthorized activities.
- The credit union’s authentication process should be reviewed periodically to assess the adequacy of existing authentication techniques in light of changing or new risks.
If you have any questions or concerns, please contact your examiner, NCUA Regional Office or State Supervisory Authority.
1FFIEC Member Agencies include: National Credit Union Administration, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and Office of Thrift Supervision.