1. Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006

2. Technology Supervision Branch Agenda Background on new guidance Summary Key Points What does this mean to the financial services industry FAQs

3. Technology Supervision Branch Background FFIEC guidance entitled: “Authentication in an Internet Banking Environment” Updates & replaces 2001 guidance Published October 12, 2005; compliance expected by year-end 2006 Issued by FFIEC Agencies intended to be proactive, not reactive FDIC FIL-103-2005

4. Technology Supervision Branch Background Work on this project began over 1 year ago: –FDIC ID Theft Study (12/04) –FFIEC Symposium on authentication (3/05) –FDIC ID Theft Study Supplement (6/05) –FDIC ID theft symposiums Time was right for guidance: –Customer concerns are negatively affecting growth of online banking and commerce –Technologies are maturing, becoming more effective, easier to use and more affordable

5. Technology Supervision Branch Summary Regulators expect financial institutions to use stronger methods to authenticate the identity of customers using Internet-based products and services Regulators expect FIs to perform a risk assessment to determine effective authentication strategies according to the risks associated with the products and services they offer online

6. Technology Supervision Branch Key Points Agencies consider single-factor authentication (i.e., password), as the only control mechanism, to be inadequate for high-risk transactions High-risk transactions involve movement of funds to other parties (even within FI) or access to customer information

7. Technology Supervision Branch The Key Point! Where single-factor authentication is inadequate, FIs should implement multifactor authentication, layered security, or other comparable controls reasonably calculated to mitigate the risks

8. Technology Supervision Branch What Does This Mean to the Industry Regulators expect financial institutions to “step it up a notch” in terms of online security FIs have an obligation to secure a delivery channel they built and have made available to consumers Time-frame for compliance is aggressive, but reasonable Examiners will review compliance efforts on a case-by-case basis

9. Technology Supervision Branch What Does This Mean to the Industry Guidance is flexible; does not mandate a specific technology solution Regulators expect new technologies to continue to be introduced Special considerations for FIs affected by recent hurricanes

10. Technology Supervision Branch Frequently Asked Questions Is there an “approved” list of solutions? Is the Appendix an exclusive list of solutions? Is it acceptable for an FI to just complete its risk assessment by year-end 2006? Do the regulators expect FIs to run out and buy hardware tokens for all their customers? Is there a template for the risk assessment? Are agencies considering additional guidance in this area?

11. Technology Supervision Branch Frequently Asked Questions Can FI do a risk assessment & decide that stronger authentication is unnecessary even though the system permits high-risk transactions? Can FI rely on its service provider’s risk assessment? Can FI permit customers to opt-out of the stronger authentication? Does the guidance cover telephone banking?

12. Technology Supervision Branch Thank You Jeffrey M. Kopchik –Senior Policy Analyst –Division of Supervision and Consumer Protection, Technology Supervision Branch –Washington, DC