Alert 2006-50
ALERT

    Subject:  Customer Authentication and Internet 
              Banking Alert 

       Date:  September 8, 2006

TO:  Chief Executive Officers and Chief Information 
     Technology Officers of National Banks, Federal 
     Branches, and Technology Service Providers, 
     Department and Division Heads, and Examining 
     Personnel

In October 2005, the FFIEC agencies(1) (agencies) issued 
guidance entitled Authentication in an Internet Banking 
Environment (guidance)(2) .  The guidance focuses on the 
risks of fraud and identity theft associated with 
Internet banking activities.  The guidance states that 
financial institutions should perform a risk assessment,
identify and strengthen control weaknesses, measure and 
evaluate customer awareness efforts, and implement any 
necessary corrective actions.  National banks are 
expected to have achieved conformance with the guidance 
by year-end 2006.  

It is anticipated that there will be increased activity 
by fraudsters to send false communications with the 
intent of obtaining customer information for the purposes
of fraud and identity theft.  These communications may 
attempt to exploit the December 31, 2006, conformance 
date.  For example, communications purporting to be from
a national bank could inform customers that, due to the 
FFIEC guidance, the bank is required to change its 
security procedures and, as a result, request customers 
to re-register or provide personal information that would
enable the bank to comply with the regulatory requirement.

In addition to the common practice of cloning financial 
institution Web site, logo, and e-mail formats, such 
attempts may also use or include the FFIEC logo and may 
even contain or provide a link to the interagency 
guidance.  The methods used to communicate with customers
may include e-mail, telephone calls, and postal mail.  
Sophisticated schemes may employ multiple methods to 
"convince" the customer of their legitimacy.

In anticipation of this potential for fraudulent schemes,
national banks should inform their customers well in 
advance of the year-end deadline of their plans and any 
changes to the bank's Internet or electronic banking 
applications, or that no changes are expected.  Customers
should be warned of possible fraudulent activity and 
about the types of information that may be requested, 
such as their social security number, account numbers, 
passwords, validation questions and answers.  Banks 
should explain their policy regarding such information, 
e.g., "XYZ National Bank will not ask that you provide to
us your social security number, account number, password,
or personal identification number (PIN) as this is 
information we already have on file."  Customers should 
be advised to call the bank for verification before 
responding to any such request.  Banks should consider 
the establishment of a "hot-line" or toll-free number if
one is not currently available.   

Questions regarding this alert should be directed to Bank
Information Technology at (202) 874-4740.



   /signed/
Mark L. O'Dell
Deputy Comptroller for Operational Risk Division 
 
1)  Board of Governors of the Federal Reserve System, 
    Federal Deposit Insurance Corporation, National 
    Credit Union Administration, Office of the 
    Comptroller of the Currency, and Office of Thrift 
    Supervision.
2)  OCC Bulletin 2005-35, October 12, 2005