No subject

Jim Jim
Tue Dec 10 11:45:29 PST 2019

*** January/February Project Update ***

Since our last update, we have launched two new projects (Business
Continuity Compliance and Status Reporting, Image Quality and Usability
Assurance Phase II), completed one project (Counter-Phishing Phase I), and
have added two new projects to our pipeline (Better Mutual Authentication,
Resiliency Maturity Model) in addition to Interoperable Verification of
Check Security Features.

[As a reminder, projects show up in this update only after it has a high
probability of launching.  We have a number of initiatives in earlier stages
of development.]

Our Standing Committees (SCOMs) and Special Interest Groups (SIGs) continue
to provide a forum for discussion that results in networking, knowledge
sharing, and action in the form of projects and workshops.  If you are not
yet active in one or more committees, please contact me or the committee's
Managing Executive.  SCOMs and SIGs are still open to non-members, however,
projects are members-only.

FSTC provides an action-oriented, collaborative forum for our members to
address shared business opportunities and challenges through technology
projects and knowledge-sharing.  We view our projects as our core activity,
and one of the key benefits of FSTC membership is eligibility to participate
in these projects.  In our efforts to keep our members and friends
up-to-date on the latest developments in these active and developing
initiatives, we provide our colleagues this periodic project update  As
always, please contact me or Zach Tumin, FSTC Executive Director, for more
information.  Or visit our website at

Active Projects:

1.  Counter-Phishing Phase I (completed Dec 2004)
2.  e-Authentication: Business and Technology Proof-of-Concept (launched Oct
3.  Business Continuity: Compliance and Status Reporting (launched Nov 2004)

4.  Image Quality and Usability Assurance Phase II  (launched Nov 2004)

Projects in Formation (soliciting commitments):

[coming soon]

Projects in Development:

1.  Interoperable Verification of Check Security Features
2.  Resilience Maturity Model (RMM): Phase I
3.  Better Mutual Authentication: Phase I


1.  Counter-Phishing Phase I (completed Dec 2004)

FSTC has completed a first-phase initiative to address the problem of
phishing and related threats in financial services, as it affects the
relationship between customer and firm.  In collaboration with other
industry groups, the project team developed a suite of documents and tools
that allowed institutions to understand the comprehensive nature of the
problem, and understand the available solution options available to the
industry.  The project developed a detailed model of the problem, a
cost/impact model, the solution space, and a survey of over 60 solution
providers.  In addition, the project developed a next-phase proposal draft
for coordinated industry action to enable Better Mutual Authentication
(described below).

12 financial institutions and over 15 technology companies participated in
the initiative, and recently published the project's core findings and
recommendations to the public.  These documents are available from the FSTC
web site (link above).  A core group is currently developing a next-phase
initiative in Better Mutual Authentication, which is described below, and
other areas.  This project originated from the Security SCOM: co-chaired by
Mike McCormick of Wells Fargo, and Mike Versace of NEC.

2.  FSTC/GSA e-Authentication: Business and Technology Proof-of-Concept
(launched Oct 2004, to complete in late March)

This 5-month project is assessing the viability of the potential business
opportunity that exists for financial institutions to leverage their online
customer relationships and provide a federated identity-driven
authentication service to government agencies, and to integrate these
services into financial institutions' online applications. FSTC, jointly
with the GSA's E-Authentication Initiative Project Management Office (EAI
PMO), have launched a three-track project to ascertain the business model,
legal framework, and technical viability of using institutions' identity
credentials to permit consumers and businesses to access secure online
government applications through federation.

There are 7 financial institutions and 10 technology companies and other
organizations participating in the project.  An in-person meeting is
currently scheduled for mid-March in Atlanta, hosted by Bank of America. The
project should complete in late March.

3.  Business Continuity: Compliance and Status Reporting (launched Dec 2004)

The FSTC Business Continuity Standing Committee has launched an initiative
to assist the financial industry in coming to a common understanding on the
meaning of continuity regulation, prioritization of compliance related
activities, and creating efficiencies in documenting regulatory compliance
status. To establish a clear understanding of the regulatory environment, a
list of continuity related guidance will be pulled together along with the
name of the agency responsible. Each regulation will be reviewed and a
clearly worded summary of the continuity requirements will be developed.
Where possible the regulatory agencies will be contacted for clarification
on specific points. Common themes and requirements will be documented and

The project will focus on providing straight forward interpretations of what
is needed for an FI to comply with current regulations.

This project is sponsored by the Business Continuity SCOM, co-chaired by Tom
Hirsch of US Bank, and Damian Walch of IBM.  Please contact FSTC Managing
Executive Charles Wallen for more information  (charles.wallen at

4.   Image Quality and Usability Assurance: Phase II (launched Nov 2004)

In Phase I, more than 20 companies, representing 2/3 of US check volume,
most major vendors, and key industry associations, undertook a 90-day effort
to assess the impact of poor quality check images, and defined 16 technical
metrics and 4 usability levels that can be used to measure image quality and
usability in a standard and interoperable way.  The findings of the Phase I
project team justified further development, to test these metrics in a
real-world scenario, on millions of images, to determine the quantitative
thresholds for the 16 metrics that will define a minimum baseline "standard"
for acceptable quality images for the industry.

The business objectives are to maximize efficiencies, cost savings, and
ensure strong adoption of image exchange. The project will undertake a
robust, "real-world" analysis and test to provide actionable specifications
and direction to the industry to allow financial institutions, technology
vendors, standards organizations, and other key partners to collectively
implement baseline image quality and usability through industry
collaboration under the FSTC umbrella.

This project originates from the Check Truncation SIG
(, co-chaired by James
Burroughs, Wells Fargo; Glen Ulrich, US Bank; and Ian Goodall, NCR. 7
financial institutions and 18 vendors and industry organizations are


1.  Interoperable Verification of Check Security Features (IV-CSF)

As a follow-on to the recently completed Survivability of Check Security
Features project (, this initiative will seek
to develop the business and technology foundation to enable interoperable
verification of check security features.  As a growing number of banks offer
their customers security features targeted at surviving the imaging process,
interoperability becomes an important enabler.  The objective of this
initiative, through interoperability, is to mitigate fraud risk for all
stakeholders (banks, customers, merchants, etc.) by shortening the time
between a check being presented, and the check verification process, and to
enable any receiver of a check to verify it as close to the point of
presentment as possible.

This project originates from the Check Truncation SIG
(  A whiteboard session was
held January 26-27 in Tempe, AZ, hosted by Bank of America and co-hosted by
JPMorgan Chase.  A full draft proposal will be published to the Check
Truncation SIG in the coming week to ten days, reflecting the refined
objectives and deliverables that were developed in Tempe.  Potential project
launch is in the March/April timeframe.

2.  Resilience Maturity Model (RMM): Phase I

A group of FSTC member institutions and vendors met at the FSTC Technology
Recovery Roundtable, hosted by US Bank on October 6th in St. Paul.  At the
meeting, the group defined a potential project that would develop metrics to
evaluate an institution's resilience, much like the Carnegie Mellon CMM
model in software development.  Resilience in this context is an
institution's overall business continuity, disaster recovery, and crisis
management program.  The business objective of the project would be to allow
financial institutions to "rate" themselves and their key business partners
against industry-vetted definitions and metrics, and justify investment (or
not) where needed to achieve the desired level of resilience.

The group met again in New York on January 13th, hosted by JPMorgan Chase,
and further refined the concept with 7 of the top 10 institutions in the US
represented.  A proposal is currently being finalized, and will be published
in the next 7-10 days to the general public.  More than 8 firms have already
committed to participate.  If you are interested, please contact Charles
Wallen, Business Continuity SCOM Managing Executive, at
charles.wallen at

3.  Better Mutual Authentication: Phase I

As a next-phase concept coming out of the Counter-Phishing: Phase I project,
the initiative will focus on establishing a blueprint for the financial
industry to establish better mutual authentication between customers and
financial institutions.  The three components of better mutual
authentication include: customer to institution, institution to customer,
and email communications from the institution to customer.  The objective is
to create a framework that supports individual institutions' efforts, while
defining a "blueprint" of requirements to ensuring a level of consistency in
customer experience (if affected), leveraging customer education efforts,
and establishing interoperability wherever possible and prudent.

An in-person, large-institution-only meeting is currently being scheduled
for mid-late-March to create the charter, objectives, and deliverables for
such an initiative. More information will be available in the coming weeks
under the auspices of the Security Standing Committee.


To subscribe or unsubscribe from this elist use the subscription
manager: <>

--- end forwarded text

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list