WASHINGTON - Ahead of a looming yearend deadline, regulators are seeking to clear up confusion surrounding the steps that banks must take to ensure the security of their Web sites.
In a release Tuesday, the federal bank and thrift agencies outlined which online transactions require enhanced authentication measures, offered suggestions to institutions, and confirmed that compliance is mandatory by Dec. 31.
The specifics follow regulatory guidelines issued in October that said banks should not rely on a simple password approach to protect online account information. The guidelines were roundly criticized in the industry as vague, and left several banks unsure how best to meet the criteria.
Complaints focused on what regulators considered "high-risk" online activity and on uncertainty over whether regulators were requiring banks to use multifactor authentication for those transactions.
In answers to 35 frequently asked questions, the regulators on Tuesday sought to resolve such issues.
The release said banks do not have to automatically use multifactor authentication, but must perform a risk assessment and have a system in place to thwart hackers capable of getting through a basic password system.
"Single-factor" authentication, which is typically a simple username and password, is not acceptable for any transactions deemed high-risk, regulators said. They said any transaction that involves the movement of funds to other parties, including online bill payment, and transfers to separate accounts at the same institution, should be considered high-risk.
"Any system that permits the movement of funds to other parties and/or the access to customer information … is 'high-risk,' necessitating stronger authentication or additional controls," the FAQ said.
Still, any high-risk transaction does not necessarily require multifactor authentication, the regulators said. They said banks could take other steps, including layering on extra protection to ensure their systems are not vulnerable.
"The guidance does not call for the use of multifactor authentication," the regulators said. "The use of multifactor authentication is one of several methods that can be used to mitigate risk as discussed in the guidance. However, the guidance identifies circumstances under which the agencies would view the use of single-factor authentication as the only control mechanism as inadequate and conclude that additional risk mitigation is warranted."
For high-risk transactions, regulators said banks could use "layered security" that goes beyond single-factor authentication but "would not strictly be considered multifactor authentication." "Layered security" allows a bank to verify a customer's identification on the Web site without the customer's entering additional information.
"Multifactored authentication is an adequate response, but also 'layered security' or compensating controls can be adequate responses," said Michael Jackson, the Federal Deposit Insurance Corp.'s associate director for technology supervision.
Many banks are already adopting such practices.
Wachovia Corp. uses multifactor authentication for its commercial business customers but operates an invisible "layered security" system for small-business and retail customers, said Alecia Kontzen, Wachovia's e-commerce operational risk manager. The system is designed to sense a fraudulent login without a customer's knowing how.
In addition to a password, its multifactor system for commercial customers includes the use of a small "token" called a key fob that flashes a changing number for a customer to enter.
Other possible methods include a keycard with a code unique to a customer; tools that can scan a fingerprint or a person's iris; challenging questions that only the customer can answer; or a geographic positioning of a customer's computer determined by a bank through the customer's Internet service provider.
