|
|
Guest
|
jking
-
3/6/2008 2:56:55 AM
MFA
Is MFA required on Remote Deposit Capture? Our software limits the information provided about our customer, but images of deposited checks are stored on the software for up to 60 days. It seems to me that the information and the risk posed would be high and should require MFA on the user side; however there are varying opinions in my institution regarding the necessity. Any help that you could provide would be appreciated!
|
|
|
|
|
Site admin
|
Re: MFA
We all know that the Federal Agencies involved are in the process of developing their guidelines around RDC authentication and how those fit with the definition of “high risk transaction” in the strong authentication guidance issued in October of 2005 by the FFIEC agencies. We have, however, not received the RDC guidance as of today, but what we do know is that remote deposit was classified as an electronic bank function (August of 2007 FFIEC BSA/AML Examination Manual. The rules for testing whether the transaction is high risk, as defined/used in the Manual, and/or exposes consumer or business account data, in my opinion, should be used; and if the transaction involves the movement of money and or use of account information then it is considered high risk and, therefore, single factor authentication is not adequate and it requires “strong authentication”.
Strong Authentication means using either, multi factor authentication (two factor or more) and/or a layered security approach to authentication in addition to single factor. The layered approach is used to define an approach where different types of technology are used for authentication/security and can employ “in band” as well as “out or band” (e.g. telephone follow-up) techniques to insure the identity of the user and of the host server (bank). The FFIEC guidance specifies that “where risk assessments indicate that the use of single factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate the risk…”
These requirements not only apply to the deposit but also to the online reporting of deposits taken by remote capture where confidential data is displayed. What authentication is required for administrative procedures, accessing reports as well as for processing deposits? It appears to me that the same level of authentication/security as described above is required.
|
|