AL 2001-8
Advisory Letter
Subject: Authentication in an Electronic Banking 
         Environment
Date: July 30, 2001

TO:  Chief Executive Officers of National Banks, Federal 
Branches and Data Processing Centers, Service Providers 
and Software Vendors, Department and Division Heads, and 
Examining Personnel

The Federal Financial Institutions Examination Council 
has released the attached guidance, "Authentication in an
Electronic Banking Environment."  This interagency 
guidance reviews the risks and risk management features 
of a number of existing and emerging authentication 
tools.  These tools are necessary to initially verify the
identity of new customers and to authenticate existing 
customers that access electronic banking services.  

An effective authentication program is imperative for 
banks engaging in any form of electronic banking or 
commerce.  It should be implemented on an enterprise-wide
basis, and should have customer acceptance, reliable 
performance, scalability to accommodate growth, and 
interoperability with existing systems and future plans.  

Financial institutions should use this guidance when 
evaluating and implementing authentication systems and 
practices, whether they are provided internally or by a 
third-party service provider. The OCC expects financial 
institutions to assess the risks to the institution and 
its customers and to implement appropriate authentication
methods in order to manage risk effectively.  Examiners 
will use this guidance to evaluate the effectiveness of 
authentication controls in banks and third-party service 
providers. 

For further information on Internet banking and 
technology risk management guidance, see the OCC's 
Internet site at < www.occ.treas.gov > or contact 
Clifford Wilke, director, Bank Technology at 
(202) 874-5920. 


 
____________________                              
Emory W. Rushton
Senior Deputy Comptroller
Bank Supervision Policy