Auditing and Financial Management:
Bank Regulators' Evaluation of Electronic Signature Systems
GAO-01-129R: Published: Nov 8, 2000. Publicly Released: Nov 8, 2000.
This report discusses bank regulators' evaluation of electronic signature systems. Financial institutions use signature systems to verify or authenticate the identity of customers conducting financial and nonfinancial transactions over the Internet and other open electronic networks. Officials at the Office of the Comptroller of the Currency (OCC) and the Federal Reserve told GAO that they are developing an examination strategy for Identrus LLC, which is an entity that provides services to financial institutions to authenticate electronic signatures. OCCofficials have not determined what role they will play in assessing Identrus' operations, but they believe that financial institutions should take an active role in assessing the risks associated with electronic signatures.
- Review Pending
- Closed - implemented
- Closed - not implemented
Recommendation for Executive Action
Recommendation: Given that the importance of electronic signature systems is likely to grow, banking regulators need a consistent methodology for assessing the risks and appropriateness of internal controls surrounding such systems. The Chairman, Board of Governors of the Federal Reserve System, and the Comptroller of the Currency, should work through the Federal Financial Institutions Examination Council to develop guidance that includes criteria for evaluating electronic signature systems in order to provide reasonable assurance that electronic signatures generated by the system are valid.
Agency Affected: Federal Reserve System: Board of Governors
Status: Closed - Implemented
Comments: In August 2001, the Federal Financial Institutions Examination Council released the guidance "Authentication in an Electronic Banking Environment" which addresses the verification of new customers and the authentication of existing customers. It applies to both retail and commercial customers and provides criteria for an effective authentication program.