Verifying the identities of customers and authorizing e-banking activities are integral parts of e-banking financial services. Since traditional paper-based and in-person identity authentication methods reduce the speed and efficiency of electronic transactions, financial institutions have adopted alternative authentication methods, including:
- Passwords and personal identification numbers (PINs),
- Digital certificates using a public key infrastructure (PKI),
- Microchip-based devices such as smart cards or other types of tokens,
- Database comparisons (e.g., fraud-screening applications), and
- Biometric identifiers.
The authentication methods listed above vary in the level of security and reliability they provide and in the cost and complexity of their underlying infrastructures. As such, the choice of which technique(s) to use should be commensurate with the risks in the products and services for which they control access.For example, section 326 of the USA PATRIOT Act (Pub. L. 107-56) requires financial institutions to implement reasonable procedures for (1) verifying the identity of any person seeking to open an account, to the extent reasonable and practicable; (2) maintaining records of the information used to verify the person's identity, and (3) determining whether the person appears on any list of known or suspected terrorists or terrorist organizations. See 68 Federal Register 25090 (May 9, 2003); 12 CFR Part 21 (OCC); 12 CFR Parts 208 and 211 (Board); 12 CFR Part 326 (FDIC); 12 CFR Part 563 (OTS), and 12 CFR Part 748 (NCUA). Additional information on customer authentication techniques can be found in this booklet under the heading "Authenticating E-Banking Customers."
The Electronic Signatures in Global and National Commerce (E-Sign) Act establishes some uniform federal rules concerning the legal status of electronic signatures and records in commercial and consumer transactions so as to provide more legal certainty and promote the growth of electronic commerce.Pub.L. No. 106-229. An electronic signature may be as simple as a person's typed name or an image of a person's handwritten signature. The development of secure digital signatures continues to evolve with some financial institutions either acting as the certification authority for digital signatures or providing repository services for digital certificates.See OCC Bulletin 99-20: Certificate Authority Guidance (May 4, 1999).