In This Presentation:

Overview

- Critical differences in the 2011 Supplement as compared to the 2005 Guidance

- Other useful sources of regulatory guidance on authentication

- Concluding thoughts on areas of examination emphasis

Why the need for the Supplement?

-Supplement reiterates the need to perform periodic risk assessments and adjust customer authentication controls as appropriate in response to new threats

- However, certain aspects of the 2005 Guidance have become less effective or require enhancement due to significant changes in the threat landscape:

- More sophisticated, effective and malicious methods to compromise authentication mechanisms and gain access to online accounts

- Criminal groups specializing in financial fraud

- Fraud tools are easily obtainable on Internet

- Malware installed on computers monitor user activity, facilitate theft and misuse of login credentials

- Cybercrime complaints significantly up since 2005, in particular with respect to commercial accounts.