Date: September 8, 2006
Customer Authentication and Internet Banking Alert
To: Chief Executive Officers of All National Banks; All State Banking Authorities; Chairman, Board of Governors of the Federal Reserve System; Chairman, Federal Deposit Insurance Corporation; Director, Office of Thrift Supervision; Conference of State Bank Supervisors; Deputy Comptrollers (districts); Assistant Deputy Comptrollers; District Counsel; and All Examining Personnel
In October 2005, the FFIEC agencies1 (agencies) issued guidance entitled Authentication in an Internet Banking Environment (guidance)2 . The guidance focuses on the risks of fraud and identity theft associated with Internet banking activities. The guidance states that financial institutions should perform a risk assessment, identify and strengthen control weaknesses, measure and evaluate customer awareness efforts, and implement any necessary corrective actions. National banks are expected to have achieved conformance with the guidance by year-end 2006.
It is anticipated that there will be increased activity by fraudsters to send false communications with the intent of obtaining customer information for the purposes of fraud and identity theft. These communications may attempt to exploit the December 31, 2006, conformance date. For example, communications purporting to be from a national bank could inform customers that, due to the FFIEC guidance, the bank is required to change its security procedures and, as a result, request customers to re-register or provide personal information that would enable the bank to comply with the regulatory requirement.
In addition to the common practice of cloning financial institution Web site, logo, and e-mail formats, such attempts may also use or include the FFIEC logo and may even contain or provide a link to the interagency guidance. The methods used to communicate with customers may include e-mail, telephone calls, and postal mail. Sophisticated schemes may employ multiple methods to "convince" the customer of their legitimacy.
In anticipation of this potential for fraudulent schemes, national banks should inform their customers well in advance of the year-end deadline of their plans and any changes to the bank’s Internet or electronic banking applications, or that no changes are expected. Customers should be warned of possible fraudulent activity and about the types of information that may be requested, such as their social security number, account numbers, passwords, validation questions and answers. Banks should explain their policy regarding such information, e.g., "XYZ National Bank will not ask that you provide to us your social security number, account number, password, or personal identification number (PIN) as this is information we already have on file." Customers should be advised to call the bank for verification before responding to any such request. Banks should consider the establishment of a "hot-line" or toll-free number if one is not currently available.
Questions regarding this alert should be directed to Bank Information Technology at (202) 874-4740.
Mark L. O'Dell
Deputy Comptroller for Operational Risk Division