Guiding Principles for Accessible Authentication

Acknowledgements

The Guiding Principles for Accessible Authentication (“The Guiding Principles”) were funded and developed under the sponsorship of the Australian Bankers’ Association (ABA). The ABA would like to acknowledge the contribution of the Human Rights and Equal Opportunity Commission (HREOC), Blind Citizens Australia, Physical Disability Council, Abacus Australian Mutuals and various ABA member banks that participated in the ABA’s Accessible Authentication Working Group (AAWG).

The ABA would also like to acknowledge Tim Noonan for his work on this project and Dr John Gill for allowing us to use the Guidelines for the Design of Accessible Information and Communication Technology Systems, in particular the section on biometric systems.

The ABA released the Consultation Draft Guiding Principles on Accessible Authentication to coincide with International Day of People with a Disability on 3 December 2006, with the theme being accessibility to information technologies “E-Accessibility Day”. The ABA would also like to acknowledge the Council of the Ageing (COTA) and other organisations representing people with disabilities or older people for providing valuable input into the development of the Guiding Principles.

Disclaimer

The ABA and all other parties associated with the publication of this document, have made every effort to ensure the accuracy of information, but accept no responsibility for any loss or damage occasioned by any party in its seeking to implement any provision of the Guiding Principles.

The Guiding Principles are based on information about the deployment of authentication technologies available at the time they were developed.

The Guiding Principles should not be relied upon as a substitute for professional advice in complying with the law. There are many liability and other legal issues relating to matters covered in the Guiding Principles, the resolution of which falls outside the scope of the document. Future versions of the document will endeavour to incorporate the latest research.

The Guiding Principles have been developed by the AAWG and drawn from a number of other sources, it must only be reproduced with permission from the ABA and attribution to the ABA. If material is referred to by other people or organisations, attribution must be made to the ABA.

Published by the Australian Bankers’ Association Inc

ARBN 117 262 978

Incorporated in New South Wales

Liability of members is limited

Version: December 2007

Copyright, Australian Bankers’ Association

All rights reserved.


Table of Contents

1.   Introduction

1.1     Background to the Guiding Principles

1.2     Purpose of the Guiding Principles

1.3     Scope of the Guiding Principles

1.4     Principles-based approach of the Guiding Principles

1.5     Technology Neutrality of the Guiding Principles

1.6     Adoption of the Guiding Principles

1.7     Version control and review of the Guiding Principles

2.   The Guiding Principles

Principle 1: Accessibility of authentication technologies

Principle 2: Customer convenience

Principle 3: Authentication planning

Principle 4: Authentication testing

Principle 5: Registration, login and transaction procedures

Principle 6: Messages and error recovery

Principle 7: Staff and customer training

Principle 8: Raising staff, business and customer awareness

Principle 9: Confidentiality of customer information

Principle 10: Security of transactions and transaction fees

Appendix 1: Access issues facing people with disabilities and 
older people

Appendix 2: Glossary

Appendix 3: References


“The Guiding Principles”

Principle 1: Accessibility of authentication technologies

Financial institutions should ensure that authentication technologies are accessible to all customers, or where this is not possible, a human-based alternative authentication system needs to provide equivalent amenity and convenience.

Principle 2: Customer convenience

All customers should be able to undertake their personal and business financial activities conveniently and safely.

Principle 3: Authentication planning

Financial institutions should consider the accessibility needs of customers with disabilities and older customers as part of authentication technology planning.

Principle 4: Authentication testing

Financial institutions should consult customers with disabilities and older customers as part of planning and testing accessibility of authentication technologies.

Principle 5: Registration, login and transaction procedures

Financial institutions should ensure that registration, login and transaction procedures are as accessible as possible to all customers.

Principle 6: Messages and error recovery

Financial institutions should ensure that online messages are unambiguous and written in “plain English” and that error recovery processes are efficient and accessible.

Principle 7: Staff and customer training

Financial institutions should provide relevant customer support staff with appropriate disability awareness training so they are aware of the needs of customers with disabilities and older customers. In addition, financial institutions should provide customers with information and training in the use of available authentication technologies.

Principle 8: Raising staff, business and customer awareness

Financial institutions should develop a strategy for enabling relevant management and staff awareness of these Guiding Principles. In addition, financial institutions should promote the availability of alternative accessible authentication technologies with their customers.

Principle 9: Confidentiality of customer information

Financial institutions must ensure the confidentiality of information of customers with disabilities and older customers.

Principle 10: Security of transactions and transaction fees

Financial institutions should ensure customers with disabilities and older customers are not exposed to higher financial risks or costs as a result of the deployment of authentication technologies.


1.                      Introduction

1.1                   Background to the Guiding Principles

All organisations providing goods, services and facilities to the general public must ensure they are not provided in a way that is discriminatory.

Conducting banking and managing personal finances are important activities. Advances in technology and the emergence of electronic banking have increased the convenience of banking, but have also increased the need for financial institutions to make sure that their customers can conduct their banking safely and securely.

Accessibility issues need to be considered in the deployment of authentication technologies, to ensure that people with disabilities and older people are not disadvantaged. Adoption of common standards by banks and other financial institutions in Australia will promote the confidence of customers using authentication technologies and improve the accessibility of retail banking and finance.

The Guiding Principles have been developed to:

  • Provide guidance to financial institutions adopting stronger authentication[1] technologies as part of their banking services;
  • Ensure that all customers of financial institutions operating in Australia, including people with disabilities and older people, are able to access and manage their finances independently, securely and effectively;
  • Ensure that the access needs of people with disabilities and older people are considered in the deployment of authentication technologies; and
  • Ensure that financial institutions are able to provide the best possible service to all customers.

1.1.1              Disability Discrimination Act 1992

The Disability Discrimination Act 1992 (“DDA”) makes it unlawful to discriminate against a person on the grounds of a disability[2]. The objects of the DDA include eliminating, as far as possible, discrimination against people with disabilities and promoting recognition and acceptance within the community that people with disabilities have the same fundamental rights as the rest of the community.


The law is administered by HREOC and sets out specific areas in which it is unlawful to discriminate. These areas include accommodation, employment, access to premises, and the provision of goods, services[3] and facilities.

The DDA recognises that in certain circumstances, providing equitable access for people with disabilities could cause ‘unjustifiable hardship’ for an individual or organisation providing goods or services.

1.1.2              Human Rights and Equal Opportunity Commission

The Human Rights and Equal Opportunity Commission (HREOC) administers Federal legislation in the area of human rights, anti-discrimination and social justice. This includes complaints handling, public inquiries, policy development and education and training.

Where a person with a disability believes they have been discriminated against, they can complain to HREOC who will investigate the complaint and, where appropriate, attempt to conciliate a solution between the two parties. Where conciliation is not possible the complainant may take their complaint to the Federal Court or Federal Magistrates Court who have the authority to determine whether unlawful discrimination has occurred and what constitutes ‘unjustifiable hardship’.

HREOC also has a role in assisting organisations understand their responsibilities and supporting initiatives aimed at promoting compliance through best practice. While the Guiding Principles have no force in law, HREOC has supported their development in the hope that they will provide a level of access consistent with the requirements of the DDA.

1.2                   Purpose of the Guiding Principles

The purpose of the Guiding Principles is to provide a framework for financial institutions to help reach a workable balance between security requirements, commercial strategies and equitable access to banking products and services.

The Guiding Principles are intended to promote the following universal design principles: [See http://www.design.ncsu.edu/cud/about_ud/about_ud.htm]

  • Equitable use: The design is useful for the widest possible group of users.
  • Flexible use: The design accommodates a wide range of individual preferences and abilities.
  • Simple and Intuitive use: The design is easy to understand.
  • Perceptible use: The design communicates necessary information to the user in a clear and effective manner.
  • Tolerance for error: The design minimises hazards and the adverse consequences of accidental or unintentional actions.
  • Minimal physical effort: The design can be used comfortably.
  • Size and space for approach and use: The design can be used conveniently.


The Guiding Principles have been developed to ensure that people with disabilities and older people are not discriminated against when a financial institution adopts stronger authentication technologies and systems. They seek to make sure that authentication technologies are as accessible as possible for as many customers as possible.

The Guiding Principles offer a number of benefits for financial institutions, including enabling financial institutions to manage risk, improve quality of services and reduce the likelihood of successful complaints of discrimination arising from access to banking products and services.

The Guiding Principles recognise that:

  • Financial institutions need to ensure that fraud is minimised and need to manage customer confidence and the financial institution’s financial risk.
  • People with disabilities and older people need to be able to access their finances and conduct business efficiently, conveniently, independently and on an equivalent basis as other customers.
  • Financial institutions need the flexibility to develop security and authentication systems which effectively integrate into their business rules, are consistent with their commercial strategies, and which they deem appropriate to meet the needs of their customers.

1.3                   Scope of the Guiding Principles

The Guiding Principles relate to deployment of user and transaction authentication technologies and systems across retail banking channels, with particular relevance for electronic banking.

The Guiding Principles focus on access to authentication technologies for individual and small business customers registering, using and transacting with their financial institution. They do not relate to wider technology matters than those related to deployment and use of authentication technologies. However, financial institutions may consider how the Guiding Principles could relate to wider usability and their broader service commitments on accessible banking.

Examples of transactions covered by the Guiding Principles include, but are not limited to:

  • Service registration
  • Balance enquiry
  • Statement viewing
  • Transfers between accounts
  • Bill pay
  • Third party funds transfers
  • Cash withdrawals
  • Reviewing and updating investments and portfolios
  • Online loan applications
  • Interactive financial calculations performed online.

The Guiding Principles also apply to related services such as accessing documentation and information as well as account aggregation tools where authentication technologies are deployed.

The Guiding Principles are intended for use by developers, suppliers, designers and users of authentication technologies. They are not intended to prevent the use of authentication technologies.


The intended audience for the Guiding Principles includes banks and other financial institutions as well as other stakeholders including regulators, government agencies and law enforcement bodies. They are also relevant to disability organisations, individuals with disabilities and older people.

1.3.1              Dependencies

A range of factors can impact the effective accessibility of retail banking services including:

(a)   (for the financial institution) choice of authentication solutions, web development tools, expectation of minimum hardware/browser technology used by customer, reliance on scripting and applet technologies, flexibility of security protocols in place.

(b)   (for the customer) level of experience with web-based technologies, platforms/operating systems selected, brand and version of assistive technologies (screen readers, screen enlargers, etc), firewalls and quality of telecommunications lines and other factors.

1.4                   Principles-based approach of the Guiding Principles

The Guiding Principles are high level principles that do not prescribe binding obligations and do not provide technical standards. It is up to financial institutions to determine how to apply the Guiding Principles.

In implementing the Guiding Principles, financial institutions will set their own boundary conditions on threat levels, transaction values and other parameters, being mindful of the accessibility implications of any authentication technologies deployed.

The Guiding Principles recognise that financial institutions should make best endeavours to ensure that authentication technologies are as accessible as possible for as many customers as possible.  

1.4.1              Compliance with other access standards

Banks and other financial institutions should also refer to relevant Australian standards, Australian/New Zealand standards and other international standards. For example:

  • ABA’s voluntary Industry Standards on Accessibility of Electronic Banking
  • ABA’s voluntary Online Authentication Guidelines
  • HREOC’s World Wide Web Access: Disability Discrimination Act Advisory Notes. Version 3.2.
  • W3C’s Web Content Accessibility Guidelines.

1.5                   Technology Neutrality of the Guiding Principles

The Guiding Principles set out broad concepts that may be applied across the range of retail banking channels. This approach was taken so that the Guiding Principles could be applied to a variety of authentication technologies and solutions, including those which do not yet exist.

The Guiding Principles are intended to be technology neutral. They do not recommend specific authentication technologies. Instead, the Guiding Principles set out high level principles and provide explanatory guidance on how these principles may assist develop technical and design specifications and performance criteria that can be used to assess the appropriateness and usability of authentication technologies and systems in the context of each individual financial institution’s circumstances. Decisions regarding specific authentication technologies are, amongst other things, commercial decisions.

The Guiding Principles also take into account developments that may occur in communications and access technologies, which may be used to interact with authentication technologies, for example, voice over IP (VOIP), video relay services, computer assisted translators and other assistive technologies.

1.6                   Adoption of the Guiding Principles

Adoption of the Guiding Principles is voluntary, but it is expected that ABA member banks and other financial institutions, including credit unions and building societies, will seek to take advantage of the benefits afforded by the Guiding Principles.

The Guiding Principles are aimed at assisting financial institutions to design and develop the most accessible authentication systems as possible. They assist financial institutions to respond to the needs of customers and requirements of the Disability Discrimination Act 1992It is intended that adoption and implementation of the Guiding Principles will significantly reduce the likelihood of successful complaints of discrimination.

It is recognised that financial institutions adopting the Guiding Principles may take some time to have in place systems and procedures that reflect the detail of the Guiding Principles and explanatory guidance.

Financial institutions should also consider the ABA’s voluntary Industry Standards on Accessibility of Electronic Banking (2002), which assist individual banks develop or enhance their electronic banking services for people with disabilities and older people as well as the ABA’s voluntary Online Authentication Guidelines (2005), which provide a risk-based model for the deployment of authentication technologies. The ABA’s voluntary industry standards are consistent with, and build on, the W3C’s Web Content Accessibility Guidelines.

Financial institutions could also consider referring to the ABA’s voluntary Guiding Principles for Accessible Authentication and the voluntary Industry Standards on Accessibility of Electronic Banking in their Disability Action Plans or service commitments, which set out how financial institutions will meet their customers’ needs, including equivalent access for people with disabilities and older people.

1.7                   Version control and review of the Guiding Principles

It is the intention of the banking and finance sector to continue to work with service providers and manufacturers of authentication technologies to further improve the accessibility of authentication technologies and solutions.

The ABA will continue to keep the Guiding Principles current and technically valid in so far as is practicable. Version control will be maintained by the ABA.

The Guiding Principles will be reviewed on an as needed basis to ensure that they remain current with technology developments and emerging considerations with authentication technologies. However, given that this is the first edition of the Guiding Principles and authentication technologies are a rapidly evolving area, the ABA will conduct an initial review after 12 months.


2.                      The Guiding Principles

Financial institutions should be mindful of the principles of accessibility and inclusiveness in adopting authentication technologies from concept through to deployment. The aim is to create policies and systems to accommodate the widest possible range of users and customers.

The Guiding Principles cover deployment of authentication technologies, including design, implementation, communication and operation.

Principle 1: Accessibility of authentication technologies

Financial institutions should ensure that authentication technologies are accessible to all customers, or where this is not possible, a human-based alternative authentication system needs to provide equivalent amenity and convenience.

Financial institutions should make best endeavours to ensure that all authentication technologies across retail banking channels are as accessible as possible to all customers.

Authentication technologies should support the widest possible range of customers, including customers with disabilities and older customers, without the need to develop alternative options or ‘fall-back’ modes of access. However, where this is not possible, alternative authentication should be provided which enables equivalent amenity and convenience. For example, a customer with damaged fingers or motor impairments may have difficulty using biometric authentication technology, which relies on matching a fingerprint to a person. An alternative method of authentication should be available for such customers and may be technology or human-based.

Explanatory guidance to Principle 1

While the expectation is that financial institutions will do all they can to ensure any authentication technologies provide for the greatest possible access for all customers, there may be occasions where alternative authentication processes or systems need to be provided.

A customer may not be able to use an authentication technology because they either have extreme difficulties in one particular area or have multiple disabilities so that no combination of the accessibility features meets their needs. For example, a customer who is both deaf and blind is unable to hear the information in spoken form and is unable to read the authentication information visually. Such a customer most likely needs to have in place Braille technology capable of accessing the National Relay Service/TTY and will need to communicate with a human agent via this service. [See www.relayservice.com.au]

A customer may have motor skill difficulties which make inputting data difficult in the prescribed time period. Such a customer may be better served by a human agent. Alternatively, a customer may be physically able to use the authentication technology, but is encountering confusion or difficulties understanding how to use the authentication due to an information or intellectual disability or age-related cognitive impairment. Such a customer may also be better served by a human agent who is better placed to interpret and suggest remedies for the customer. A human agent also provides a friendly ‘face’ to the financial institution, particularly when new authentication technologies are being deployed.


If a customer is unable to use a retail banking channel due to the authentication technology deployed, there should be a means by which the customer can gain ‘equivalent access’, such as equivalent funds transfer limits. This may be via automated telephone banking or it may be necessary for the customer to speak to a human agent to enable them to transfer the required amount. Financial institutions should ensure that the process by which a customer is authorised to work with a human agent is straightforward and convenient, such as if forms need to be completed, these forms need to be available in accessible formats.

Financial institutions should consider making available a human agent 24 hours a day, 7 days a week, or at least for extended business hours. A human agent or customer service representative is usually the most effective and convenient solution for those customers that have difficulty in completing their banking transactions due to the authentication technology deployed. Financial institutions should also provide their staff and customers with information explaining authentication technologies, alternative authentication arrangements and banking channels.

Financial institutions should have a dialogue with their customers to identify and put in place suitable access arrangements. Financial institutions may need to develop individual arrangements for some customers that are unable to access banking services due to the authentication technology deployed. For example, some customers may have to make use of human-based alternatives, such as telephone banking, and may need to access services that would otherwise not be available through ordinary telephone banking channels, such as immediate access to make larger payments or transfers and retrieve account statements. In these instances, individual arrangements for such customers unable to conduct their banking transactions due to difficulties using authentication technologies may need to be reflected in business rules and with support services.

Financial institutions should consider how authentication technologies or alternative authentication arrangements deployed to access retail banking channels may impact on the privacy and security of their customers. For example, financial institutions may need to consider how authentication technologies may impact customers using face-to-face banking via bank branches, such as customers who are hearing impaired and utilising counter hearing systems, including microphone and hearing loop at branch counter or an Auslan interpreter. Similarly, financial institutions may need to consider how authentication technologies for telephone banking may impact on customers using support services and authorised third parties to complete their banking transactions, such as the National Relay Service/TTY.

Financial institutions should consider providing a choice of authentication technologies to maximise the number of people who can independently use the authentication technology, access their banking services and conduct their banking transactions. Some authentication technologies rely on the customer being able to see a display, whereas, others may offer possibilities for information to be spoken. Biometric authentication solutions may rely on the person possessing a particular attribute or capability, and therefore will exclude people who are unable to meet the necessary physical requirements. Providing more than one authentication system, such as a variety of tokens (large screen and/or audio), SMS messages, shared secrets and so on, gives choice and broadens the likelihood that a customer can use one of the available authentication approaches.


Financial institutions should provide efficient re-enrollment. If a customer can no longer use an authentication or biometric system reliably, the customer should be provided, wherever feasible, with the opportunity to repeat the registration or enrollment process. For example, this could happen if the customer has an accident, or if their biological attributes change for some reason.

Financial institutions need to consider their business rules to ensure that Powers of Attorney and designated authority representatives (such as a family member, friend, carer or other authorised third party) are appropriately recognised as part of the deployment of authentication technologies. For example, some customers may have third parties assist them in conducting their banking transactions. Formal arrangements should be accommodated within authentication procedures and systems. Financial institutions should also ensure that business rules enable intermediaries and third parties to be authorised on a permanent basis or session/transaction specific basis.

Financial institutions should be aware that some of their customers use support services and/or assistive technologies to help them verify their identity, access their banking services, conduct their banking transactions and verify their transactions, which may mean these customers may take longer than other customers to complete their banking activities. Financial institutions should ensure their staff and customers are aware that customers using support services and/or assistive technologies may take longer to complete their banking activities.

Financial institutions should ensure their customers have access to the support services of qualified and reputable interpreters to assist them conduct their banking transactions, such as interpreters accredited to the National Accreditation Authority for Translators and Interpreters (NAATI). For example, financial institutions should make available information about how to access qualified and reputable support services.

Financial institutions should consider ‘equivalent access’ not just in design and deployment of authentication technologies, but as part of staff and customer training and awareness.

Principle 2: Customer convenience

All customers should be able to undertake their personal and business financial activities conveniently and safely.

Authentication technologies should be designed and deployed so that the widest possible range of customers can use the technology effectively and conveniently. Authentication solutions should be as user-friendly and accessible as possible.

Financial institutions should provide information to customers on user requirements for authentication technologies, and alternative authentication technologies available for those customers unable to meet the user requirements.

Financial institutions should ensure that all customers can access their banking services conveniently. Some factors to consider include support services, such as the National Relay Service/TTY or Auslan interpreters, other authorised third parties acting on behalf of customers and other mechanisms that help customers conduct their banking activities.


Financial institutions could work with relevant community organisations to identify strategies that promote customer convenience as well as minimise the possibility of financial abuse by ensuring arrangements and processes are in place to support alternative authentication options, such as business rules, Powers of Attorney and other formal authorisations. 

Explanatory guidance on Principle 2

All customers benefit from universal designs, however, it is important to understand the diversity of problems, tools and abilities of all customers, especially those customers with disabilities or older customers who may find it particularly difficult to access banking services where authentication technologies are deployed.

Financial institutions should also ensure they comply with the W3C’s Web Content Accessibility Guidelines. As consistent with W3C/WAI, to promote user convenience:

  • Content must be perceivable: For example, provide text alternatives for all non-text content and make it easy to distinguish foreground information from its background.

  • Interface components in the content need to be operable: For example, make all functionality operable via a keyboard interface; allow users to control time limits on their reading or interaction or allow users to extend a session that is about to time out; and help users avoid mistakes and make it easy to correct mistakes that do occur.

  • Content and controls must be understandable: For example, make text content readable and in “plain English”.

  • Content should be robust enough to work with current and future users, including assistive technologies: For example, ensure that content is accessible or provide an accessible alternative.

Financial institutions should make every effort to support the widest possible range of customers. Beginning with their own organisations, financial institutions should work towards consistency of Internet-related terminology, concepts and processes, with the following objectives:

(a)   consistency of standard transactions across financial institutions, for example, by agreeing on order of fields in funds transfer forms, BPAY forms, etc;

(a)   consistency on terminology for user name, password, receipt number, etc. (Experience has shown that consistent and predictable human interfaces benefit users. The benefits can include faster learning, greater productivity, fewer errors and greater satisfaction. Consistent interfaces also benefit the industry by promoting greater acceptance of products and services.)


The following notes from W3C/WAI should also be considered:

“Provide consistent and predictable responses to user actions within the online service. Make interactions consistent, both throughout the site and with commonly used interaction metaphors used throughout the Web. For example, similar layout for user interface components is used throughout your site, similar user interface components are labelled with similar terminology, controls that look the same are designed to act the same, operating system, language, or application conventions likely to be familiar to the user have been followed, unusual user interface features or behaviors that are likely to confuse the first-time user are documented. Providing responses to user actions is important feedback for the user. This lets them know that your site is working properly and encourages them to keep interacting. When the user receives an unexpected response, they might think something is wrong or broken. Some people might get so confused they will not be able to use your site.”

Principle 3: Authentication planning

Financial institutions should consider the accessibility needs of customers with disabilities and older customers as part of authentication technology planning.

Financial institutions should consider the access requirements of customers with disabilities and older customers in the design of authentication technologies. It is good business sense to ensure all customer needs are considered early in the design and implementation of authentication technologies in order to avoid incurring potential additional costs later.

Explanatory guidance on Principle 3

Financial institutions should consider the accessibility needs of customers with disabilities and older customers in the design of authentication technologies. When planning to implement authentication technologies, financial institutions should consider how the authentication technologies they deploy may impact all customers. By taking into account the needs of all customers and the environments in which they work, authentication technologies can both enhance security and provide convenient access. For example, accessibility considerations could be part of any internal check-lists used by financial institutions when assessing, developing or modifying authentication technologies.

Financial institutions should consider the accessibility implications and processes for stronger authentication. There are three phases involved in stronger authentication approaches.

  • Enrolment – Setting up the technology, registering the customer, taking necessary details or measurements, issuing devices/passwords etc. If a biometric system is used, enrolment involves taking a baseline biometric measure. Usually, this would be done with a special biometric terminal, which should be staffed by qualified personnel. Those personnel should be trained in the necessary skills to assist a person with a disability to successfully provide the biometric measure or measures.

  • Authentication – Identity of the person is validated and verified to a satisfactory degree, based on the information and credentials being supplied by the user.

  • Authorisation – Once the authentication has been done, the customer is then allowed access to those services and information which they are authorised to access.


Some key points to consider when ensuring maximum flexibility for financial institutions and users include:

  • Authentication management – roles and responsibilities will most likely spread across business units; for example, authentication policies and procedures, user enrolment, applications and networks and so on. It is important that deployment of user authentication technologies is effectively managed.

  • Authentication practices – existing practices and user privileges should be accommodated. Balancing security, usability and practicality will assist in adoption of new technologies. It is important for financial institutions to maintain flexibility to support multiple users without incurring undue cost.

  • Authentication integration – a review of users, applications and environments when introducing new system requirements should be conducted. It is important to reduce unnecessary or costly system integrations later.

  • Technology neutrality – as far as possible, authentication architecture should be interoperable with different applications and/or devices. It is important for users to maintain autonomy in selecting technology or applications to access Internet banking services.

Financial institutions should ensure that authentication technologies do not impede their ability to meet standards on accessibility of electronic banking. For example, consideration of timed responses should be included in authentication planning.

Financial institutions should consult existing standards for accessibility, such as the ABA’s voluntary Industry Standards on Accessibility of Electronic Banking and the W3C’s Web Content Accessibility Guidelines.

Principle 4: Authentication testing

Financial institutions should consult customers with disabilities and older customers as part of planning and testing accessibility of authentication technologies.

Financial institutions should test accessibility of their authentication technologies and solutions through user accessibility trials.

Financial institutions could consult with organisations representing people with disabilities or older people to identify a representative panel of end-users.

Financial institutions may also consult with accessibility experts to ensure wide testing of possible authentication technologies and solutions. 

Explanatory guidance on Principle 4

During design, and prior to implementation, financial institutions should test accessibility of their authentication technologies, including all elements of the interface, with users representing a range of capabilities and limitations (such as, in respect of visual, auditory, physical, cognitive and behavioural ability). For example, to test accessibility of their authentication technologies and solutions, financial institutions could conduct user accessibility trials. Such trials could be engaged to identify potential authentication issues and should involve a representative panel of end-users covering a range of users, including users with disabilities and older users.

Organisations that may assist in identifying potential end-users to be engaged in testing can be found at the HREOC website. [See ‘Peak/major organisations’ at www.humanrights.gov.au/disability_rights/links/links.html#community

There are significant benefits to consulting with customers and users from the beginning of the project (for example through focus groups at the initial planning stages) and at key stages within the project. Feedback from customers and users can then be incorporated into the business rules and user requirements that create a framework for the development of technical and design specifications and performance criteria. This may help minimise accessibility problems after implementation.

Financial institutions should test their authentication technologies with adaptive and assistive technologies, such as screen readers, screen enlargers, speech recognition software and computer assisted translators. Testing should also be conducted using various web browsers to ensure wide accessibility.

There are also significant benefits in testing accessibility for wider usability. Decisions concerning accessibility are unlikely to adversely affect overall usability, and in fact, these decisions can often enhance usability for all customers. However, if changes are made for accessibility, the revised design may need to be tested again for general acceptance.

A range of semi-automated evaluation and testing tools is available on the W3C website. [See http://www.w3.org/WAI/ER/tools/]

Principle 5: Registration, login and transaction procedures

Financial institutions should ensure that registration, login and transaction procedures are as accessible as possible to all customers.


Implementation of stronger authentication should, as far as possible, not substantially compromise convenience of registration, login and transaction procedures.

Financial institutions should provide an opportunity for customers to identify that they may require alternative authentication. 

Authentication procedures required for registration, login and transactions should, as far as possible, be able to be operated by customers who use access and assistive technologies, such as alternative input software and screen output software to assist accessing technology, including speech recognition or screen reading software for Internet banking.

Explanatory guidance on Principle 5

Authentication technologies and systems should provide timeouts of sufficient duration so that all customers have adequate time to look up and enter their password. For example, financial institutions should consider authentication technologies that enable flexibility to alter or extend the time required to complete authentication. Alterations to authentication should not undermine security requirements.


Financial institutions should follow the guidance recommendations on account and service registration found in section 11.4.1 and on timeouts found in section 11.1.2.1 of the ABA’s voluntary Industry Standard on Internet Banking.

Financial institutions should, subject to identification and security requirements, accept the registration of a customer to an Internet banking service when the registration request is received either directly via a telephone or TTY, or indirectly through a telephone relay service, and without completing printed forms. Customers should, as far as possible, be able to use a keyboard alternative.

For this to occur, an arrangement may need to be put in place with the financial institution to recognise the disclosure of confidential information between those parties to the arrangement as an individual arrangement and as an exception to standard business rules.

Principle 6: Messages and error recovery

Financial institutions should ensure that online messages are unambiguous and written in “plain English” and that error recovery processes are efficient and accessible.

Financial institutions should make best endeavours to ensure that all customers are able to easily and readily understand error messages and undertake error recovery processes. For example, customers should, as far as possible, be provided with the opportunity to recover or cancel transactions or change data.

Financial institutions should ensure that error messages presented to the customer by authentication technologies are clear and unambiguous. For example, some customers, particularly those with intellectual disabilities or cognitive impairments, may find it difficult to comprehend some automated error messages. Error messages generated by financial institutions should be relevant to the error, for example, “failed authentication”.

Explanatory guidance on Principle 6

Customers should, as far as possible, be provided with the opportunity to recover from their most recent error without being required to re-enter correct information. Customers should also, as far as possible, be provided with the opportunity to cancel transactions and/or change data and information that has been entered during a session without having to cancel the session and re-commence.

Authentication technologies may require some information to be re-entered so that system and account security is not compromised. Errors can occur for a variety of reasons and therefore sometimes re-prompting of previously entered data may be required to reinitiate retail banking services or confirm transactions. Where it is not possible to recover from an error, for example, after submitting and confirming a payment, financial institutions should provide a confirmation for customers to check transaction details before submitting payments and understand that authentication was successful and the transaction and/or payment successful. Confirmation is important for authentication and can also enhance usability for all customers. Confirmation screens or confirmation notifications, such as that an action has occurred, i.e. “successful authentication” or a transaction has taken place, should be accessible. 

Within a given session, unless information re-entry is required for reasons of privacy, security or verification, the customer should not be required to enter any given piece of information more than once. For example, the number of key presses or mouse clicks required of the user should be minimised.


Redundancy of information across more than one sensory channel should be provided, and will assist customers with sensory disabilities as well as all customers that use personal/mobile technologies. For example, video clips should contain audio descriptions for blind users and text captions for deaf users.

Audible bells and alarms from the computer should also be represented visually. Pictures, tables, flow charts and other visual information should be described or summarised in textual form, where possible, for those who cannot see them and for those who do not have graphical capabilities readily available.

When live streaming is used, text script should be provided as soon as possible following the event.

Customers should have access to ‘Help’ functionality to assist in identifying and fixing connectivity problems. Financial institutions should provide online access to assist on common error messages, such as in the form of accessible FAQs. Help desk should also be available to assist customers in completing authentication and accessing their retail banking services.

In instances of system failure, financial institutions should ensure that error messages allow customers to easily and readily recover and clearly state procedures for customers to reinitiate their banking transaction or activity. For example, customers may be required to re-enter information to recover from data or information loss, which may not be apparent to users of authentication technologies.

Financial institutions should follow the guidance recommendations on error recovery found in section 11.4.6 of the ABA’s voluntary Industry Standard on Internet Banking.

Principle 7: Staff and customer training

Financial institutions should provide relevant customer support staff with appropriate disability awareness training so they are aware of the needs of customers with disabilities and older customers. In addition, financial institutions should provide customers with information and training in the use of available authentication technologies.

Relevant staff whose primary role is to provide customer support services should be provided with appropriate awareness training to understand that some customers may use access and assistive technologies, such as screen readers, screen enlargers, speech recognition software, computer assisted translators, or authorised third parties, such as the National Relay Service/TTY, to assist them in accessing and conducting their banking activities.

Financial institutions should make available information about how to effectively and securely use authentication technologies.

Financial institutions should consider how best to deliver information and training in the use of authentication technologies specifically designed to meet the needs of customers with disabilities and older customers. For example, financial institutions could provide customer training through a range of methods, such as web-based, DVD/CD-rom, over the telephone or face-to-face. Training should be delineated by media types, such as captioning and audio description.


Explanatory guidance on Principle 7

It is important that training is accessible for people with disabilities and older people. Financial institutions should provide access to appropriate learning opportunities for their staff and customers, as part of eliminating the ‘Digital Divide’.

Financial institutions should provide relevant staff with training relevant to their position or role within the organisation. Training should be part of induction and initial training programs and ongoing training programs, especially for staff that are in customer-facing roles.

Managers, supervisors and senior staff in branch, call centre customer service and help desk functions should be provided with appropriate awareness training in the combination of authentication and access technologies and in understanding how people with disabilities and older people access online services. For example, financial institutions could consider making available a staff member with superior knowledge and skills in dealing with customers with a disability or older customers in a branch, call centre customer service or help desk function.

Financial institutions should provide relevant branch, call centre customer service and help desk staff with appropriate training in providing support for users of authentication.

Some topics could include:

  • Basic facts about people with disabilities and access to online services;

  • Information about tools and equipment that may be used to read information, such as screen readers;

  • Information about different formats and how the organisation is using different formats for people with disabilities, such as Braille statements; and

  • Identification of appropriate induction and ongoing training areas where face-to-face and e-learning about accessibility of banking can be incorporated.

Staff who are web developers and/or web content managers should receive training and guidance in developing accessible websites and in understanding how people with disabilities and older people access online services, so that they can develop appropriate strategies for authentication and broader accessibility of Internet banking websites.

Staff who are employed to assist customers operate biometric terminals or support systems which employ authentication technologies should be trained in how to assist and support customers with disabilities and older customers.

Customer training will ensure that all customers are able to easily, readily and efficiently access and operate authentication technologies. Training should be developed taking into account all customer needs, including the needs of customers with a range of capabilities and limitations.


Financial institutions should make available training in the use of authentication technologies specifically designed to meet the needs of staff and customers with disabilities and older staff and customers, such as training provided through a range of methods including web-based, DVD/CD-rom, over the telephone or face-to-face.

Where financial institutions provide face-to-face training, this should be developed and conducted by suitably trained staff, or could be offered by arrangement with a registered training organisation (RTO) with experience in training people with disabilities and older people.

Where financial institutions provide customer training over the telephone, training staff should be capable of providing support to people with disabilities and older people. Where financial institutions provide customer training via DVD/CD-rom or web-based formats, training should bedelineated by media types.

Some areas to cover in training modules could include:

  • Practice Option: Each site should have a practice section, where people can perform practice logon and trial transactions to safely explore and master the service, without risking funds. To ensure accessibility, the practice facility should provide a substantially similar customer experience and should give feedback on the success or otherwise of the practice transaction. Such feedback should also include suggestions on error correction.

  • Accessible Online Tutorials: Users may benefit from accessible online tutorials for a site or feature. To ensure accessibility, tutorials should be developed using the same technologies as for the actual service.

Financial institutions should consider providing all staff with training regarding awareness of the needs and diversity of people with disabilities and older people as part of staff induction training and ongoing workplace diversity programs.

Principle 8: Raising staff, business and customer awareness

Financial institutions should develop a strategy for enabling relevant management and staff awareness of these Guiding Principles. In addition, financial institutions should promote the availability of alternative accessible authentication technologies with their customers.

Financial institutions should ensure relevant management and staff have a broad awareness of the diversity of their customer base and accessibility issues, including the existence of these Guiding Principles.

Financial institutions should promote the availability of alternative accessible options to help customers with disabilities and older customers to become aware of authentication technologies and possible alternative authentication arrangements or devices. Promotion of these alternative arrangements or devices could be done in partnership with organisations representing people with disabilities or older people.

Relevant banking information and marketing materials about authentication technologies should contain information on devices and services to support all customers.


Financial institutions should also discuss with relevant organisations and representatives of people with disabilities and older people issues about privacy and security rights and responsibilities of customers of authentication technology and reflect outcomes of discussions in individual organisation’s policies and business rules.

Explanatory guidance on Principle 8

It is important for there to be relevant management and staff awareness of the diversity of their customer base and accessibility principles.

Financial institutions should consider how best to advocate and raise awareness of accessibility issues within the organisation. For example, financial institutions should raise awareness of these Guiding Principles with relevant senior staff, such as staff involved in the development of policies, procedures and practices.

Financial institutions should advocate and raise awareness of accessibility issues and the existence of these Guiding Principles with their busi

What’s new

Phone scam warning
3 Sep 2017
Have you been phoned by someone claiming to be from the ABA? This is a long-running scam. Be careful not to provide personal or banking details.
Read more

ABA blog

Banks are changing
Find out the major changes banks are making to deliver better products and services to customers., Australian Bankers' Association
Read more 6 Oct 2017

Latest tweets