The Federal Financial Institutions Examination Council (FFIEC) agencies issued a series of Information Technology Examination Handbooks that promote uniform and effective information technology related policies and supervisory programs from financial institutions and their service providers.

The booklets serve as guidance for examiners, financial institutions, and service providers on identifying and controlling risks related to information systems and banking activities.

Consistent with the FFIEC Information Technology Examination Handbook: Information Security Booklet, December 2002, financial institutions should periodically:

  • Appropriately adjust their information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information
  • Identify and assess the risks associated with Internet-based products and services
  • Identify risk mitigation actions, including appropriate authentication strength
  • Measure and evaluate customer awareness efforts
  • Implement appropriate risk mitigation strategies.


The implementation of appropriate authentication methodologies should start with an assessment of the risk posed by the institution’s Internet banking systems.

The risk should be evaluated in light of the type of customer (e.g., retail or commercial), the customer transactional capabilities (e.g., remote deposit capture, wire transfer, Internet banking), the sensitivity of customer information being communicated to both the institution and the customer, the ease of using the communication method, and the volume of transactions.