Back

Establish, implement, and maintain customer data authentication procedures.


CONTROL ID
13187
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Customer Information Management program., CC ID: 00084

This Control has the following implementation support Control(s):
  • Check the accuracy of restricted data., CC ID: 00088
  • Check the data accuracy of new accounts., CC ID: 04859
  • Authenticate a user's identity prior to transferring funds requested by a customer., CC ID: 12972


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • If AIs allow a customer to open an Internet banking account over the Internet, a reliable authentication method should be adopted to verify the identity of the customer. (§ 4.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • considering asking the customer to provide supporting documents and conduct additional checks assessed by AIs as appropriate to validate the identity of the customer; and (§ 6.2.1(iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should implement adequate customer identity authentication controls in their phone banking operations. When a customer calls in to inquire about the customer's bank account (e.g. balance or transaction history) or perform a transaction via the account, AIs should either use phone banking PIN or … (§ 7.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • considering asking the customer to provide supporting documents and conduct additional checks assessed by AIs as appropriate to validate the identity of the customer. (§ 6.2.1(iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • As set out in subsection 4.1.1, AIs should implement adequate customer identity authentication controls in their phone banking operations. When a customer calls in to inquire about the customer's bank account (e.g. balance or transaction history) or perform a transaction via the account, AIs should … (§ 7.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • For cases where banking services are provided through chat messages via instant messaging applications, appropriate measures should be taken to ensure that proper records are maintained by AIs and customers are properly authenticated before executing the customers' instructions. If such services inv… (§ 7.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • all accounts on any system used by the relevant entity to access customer information through the internet. (IV. 4.6 ¶ 1(b), MAS-201908-Notice 655 Cyber Hygiene)
  • Member States shall ensure that the account servicing payment service provider allows the payment initiation service provider and the account information service provider to rely on the authentication procedures provided by the account servicing payment service provider to the payment service user i… (Art 97(5), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • These activities may be conducted through a service management web portal, or through other channels, such as telephone or email. They are likely to include such functions as provisioning new service elements, managing user accounts and managing consumer data. (9.1 ¶ 2, Cloud Security Guidance, 1.0)
  • Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR 1023.220 … (Appendix A-III. ¶ 1 (a), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. (Domain 3: Assessment Factor: Preventative Controls, ACCESS AND DATA MANAGEMENT Baseline 1 ¶ 17, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization requests that the individual or individual's authorized representative validate PII during the collection process. (DI-1(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • A controller is not required to comply with a request to exercise any of the rights under subsection (1) of this section if the controller is unable to authenticate the request using commercially reasonable efforts, in which case the controller may request the provision of additional information rea… (§ 6-1-1306 (2)(d), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • Consumers may exercise the following rights by submitting a request using the methods specified by the controller in the privacy notice required under section 6-1-1308 (1)(a). The method must take into account the ways in which consumers normally interact with the controller, the need for secure and… (§ 6-1-1306 (1), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • A controller shall establish, and shall describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to sections 1 to 11, inclusive, of this act. Such means shall take into account the ways in which consumers normall… (§ 6 (e)(1), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • If a controller is unable to authenticate a request to exercise any of the rights afforded under paragraphs (1) through (5), inclusive, of subsection (a) of this section using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuan… (§ 12D-104.(c)(4), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • A controller shall establish, and shall describe in the privacy notice required by subsection (c) of this section, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means shall take into account the ways in which … (§ 12D-106.(e)(1), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • If a controller is unable to authenticate a request to exercise any of the rights afforded under paragraphs (a)(1) through (a)(5) of this section, inclusive, using commercially-reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuant to this se… (§ 12D-104.(c)(4), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • A controller shall establish, and shall describe in the privacy notice required by subsection (c) of this section, 1 or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means shall take into account the ways in which co… (§ 12D-106.(e)(1), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • The ability of the controller to authenticate the identity of the consumer making the request. (§ 501.709(1)(c), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • If a controller cannot take action regarding the consumer's request, the controller must inform the consumer without undue delay, which may not be later than 45 days after the date of receipt of the request, of the justification for the inability to take action on the request and provide instruction… (§ 501.706(3), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • The ability of the controller to authenticate the identity of the consumer making the request. (§ 501.709(1)(c), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • If a controller cannot take action regarding the consumer's request, the controller must inform the consumer without undue delay, which may not be later than 45 days after the date of receipt of the request, of the justification for the inability to take action on the request and provide instruction… (§ 501.706(3), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • the ability of the controller to authenticate the identity of the consumer making the request. (IC 24-15-4-5 ¶ 1(3), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • the ability of the controller to authenticate the identity of the consumer making the request. (IC 24-15-4-5 ¶ 1(3), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under this section and may request that the consumer provide additional information reasonably necessary to authenticate th… (IC 24-15-3-1(c)(4), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • If a controller is unable to authenticate a request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under this section and may request that the consumer provide additional information reasonably necessary to authenticate the … (§ 715D.3.2.d., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • If a controller is unable to authenticate a request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under this section and may request that the consumer provide additional information reasonably necessary to authenticate the … (§ 715D.3.2.d., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • A controller shall establish, and shall describe in a privacy notice, secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter. Such means shall consider the ways in which consumers normally interact with the controller, the need for secure and… (§ 715D.4.7., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • A controller shall establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to [sections 1 through 12] considering the ways in which consumers normally interact with the controller, the need for secu… (§ Section 7. (6)(a), Montana Consumer Data Privacy Act)
  • If a controller is unable to authenticate a request to exercise any of the rights afforded under sections I (a)-(d) of this section using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide no… (§ 507-H:4 III.(d), New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • A controller shall establish, and shall describe in a privacy notice, consistent with the requirements of the secretary of state, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means shall take into account the… (§ 507-H:6 V.(a), New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • The controller's ability to authenticate the identity of the consumer that makes the request; and (Section 5 (5)(a)(C), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • A controller may ask for additional information necessary to comply with the request, such as information that is necessary to identify the consumer that requested to opt out. (Section 4 (5)(e)(A), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Ability of a controller to authenticate the identity of the consumer making the request. (§ 47-18-3204.(e)(1)(C), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • If a controller is unable to authenticate the request using commercially reasonable efforts, then the controller is not required to comply with a request to initiate an action under subsection (a) and may request that the consumer provide additional information reasonably necessary to authenticate t… (§ 47-18-3203.(b)(4), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Ability of a controller to authenticate the identity of the consumer making the request. (§ 47-18-3204.(e)(1)(C), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • If a controller is unable to authenticate the request using commercially reasonable efforts, then the controller is not required to comply with a request to initiate an action under subsection (a) and may request that the consumer provide additional information reasonably necessary to authenticate t… (§ 47-18-3203.(b)(4), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • If a controller is unable to authenticate the request using commercially reasonable efforts, the controller is not required to comply with a consumer request submitted under Section 541.051 and may request that the consumer provide additional information reasonably necessary to authenticate the cons… (§ 541.052 (e), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • If a controller is unable to authenticate the request using commercially reasonable efforts, the controller is not required to comply with a consumer request submitted under Section 541.051 and may request that the consumer provide additional information reasonably necessary to authenticate the cons… (§ 541.052 (e), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • the ability of the controller to authenticate the identity of the consumer making the request. (§ 541.055 (a)(3), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • may request that the consumer provide additional information reasonably necessary to authenticate the request. (13-61-203 (5)(b), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • may request that the consumer provide additional information reasonably necessary to authenticate the request. (13-61-203 (5)(b), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection A and may request that the consumer provide additional information reasonably necessary to authenticate th… (§ 59.1-577.B.4., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • A controller shall establish, and shall describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, th… (§ 59.1-578.E., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection A and may request that the consumer provide additional information reasonably necessary to authenticate th… (§ 59.1-577.B.4., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)
  • A controller shall establish, and shall describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, th… (§ 59.1-578.E., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)