Back Custom print Link Text Only Rich Text Print

  • OM-3.2 OM-3.2 Secure Authentication

    • OM-3.2.1

      Licensees must take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business.

      Added: January 2020

    • OM-3.2.2

      Licensees must use predefined transaction authentication methods that promote non-repudiation and establish accountability for the transactions. Licensees must establish detailed procedures to effectively identify the person originating electronic funds transfer transactions and for 'call backs' when appropriate to avoid frauds in electronic fund transfers.

      Added: January 2020

    • OM-3.2.3

      The term 'authentication' as used in this Module refers to the techniques, procedures and processes used to verify the identity and authorisation of prospective and established customers.

      a) Identification refers to the procedures, techniques and processes used to establish the identity of a customer;
      b) Authorisation refers to the procedures, techniques and processes used to determine that a customer or an employee has legitimate access to the bank account or the authority to conduct associated transactions on that account.
      Added: January 2020

    • OM-3.2.4

      Licensees must have in place a strong customer authentication process for its e-banking activities which ensure the following:

      (a) no information on any of the elements of the strong customer authentication process can be derived from the disclosure of the authentication code;
      (b) it is not possible to generate a new authentication code based on the knowledge of any other code previously generated; and
      (c) the authentication code cannot be forged.
      Added: January 2020

    • OM-3.2.5

      The CBB will consider application of quantitative thresholds below which the strong customer authentication requirements may be simplified on a case-to-case basis.

      Added: January 2020

    • OM-3.2.6

      Licensees must establish adequate security features for customer authentication including the use of the following three elements:

      (a) an element categorised as knowledge (something only the user knows), such as length or complexity of the pin or password;
      (b) an element categorised as possession (something only the user possesses) such as algorithm specifications, key length and information entropy, and
      (c) for the devices and software that read, elements categorised as inherence (something the user is), i.e. algorithm specifications, biometric sensor and template protection features.
      Added: January 2020