Guiding Principles for Accessible Authentication

(Consultation Draft v1.0)

Age-related cognitive impairments include Alzheimer's disease and dementia. Individuals with Alzheimer's disease experience progressive intellectual decline, confusion, and disorientation. Individuals with dementia experience progressive loss of mental functions. The most perceptual and cognitive limitations can be categorised as: 

• Memory limitations: difficulty recognising and retrieving information; 
• Perceptual limitations: difficulty taking in, attending to, and discriminating sensory information; 
• Problem-solving limitations: difficulty recognising a problem; identifying, choosing, and implementing solutions; and evaluating outcomes; 
• Conceptualising limitations: trouble with sequencing, generalising, categorising, cause and effect, abstract concepts, and comprehension; and, 
• Language limitations: described separately in the following section.

Individuals with perceptual and cognitive limitations generally benefit from simple displays, low language loading, simple obvious sequences, and cued sequences. These individuals have difficulty understanding audio instructions, using written or electronic documentation, using automated systems, and/or using visual displays, depending on the type of limitation. Methods of improving designs to make them more accessible to this population include the use of voice prompts, increased size of print, simple fonts, high contrast, labels with icons or graphics, and progress displays.

Intellectual Disability

The primary reason for knowing someone's "type" or "level" of intellectual disability is to identify suitable ways of providing support. Therefore, the "levels" are described according to the support needs of the person:

• The characteristics of support for people with intermittent support needs would be: episodic, not ongoing, every now and then depending on what's happening for that person. For example, support may be suitable at times of significant change, such as when someone starts a new job. However, support is not required on a daily basis for the whole of someone's life.
• The characteristics of support for people with low or limited support needs are: minimal support is provided on an ongoing basis.
• The characteristics of support for people with medium or extensive support needs are that more substantial amounts of support are provided on an ongoing basis. 
• The characteristics of support for people with high or pervasive support needs are that this support is ongoing and provided for all daily living activities, including all personal care and self maintenance activities (such as bathing and eating).

The needs of people with an intellectual disability have to be recognised in the provision of banking services that are within the capabilities of the person to manage. The Guiding Principles seek to simplify processes that will help people with minor intellectual disabilities. However, the Guiding Principles rely on the presumption that those people provided with banking services have the capability to use those services without being in breach of the conditions of use that govern account operation. This requires as a minimum the ability to understand their rights and obligations, PIN security and usage, and the ability to correctly recognise transaction amounts presented for authorisation. Any lesser requirement might expose people with higher support needs to exploitation.

Appendix 2 Explanatory Guidance: Accessibility of Banking Authentication

Preface

All organisations providing goods, services and facilities to the general public must ensure they are not provided in a way that is discriminatory.

The Australian Bankers' Association (ABA) lodged an Industry Action Plan with HREOC on 30 April 2001. The stated aim of the plan was to contribute to the process of eliminating the 'Digital Divide' by implementing the recommendations in the HREOC report, "Accessibility of Electronic Commerce and New Service and Information Technologies for Older Australians and People with a Disability", principally through the development of industry best practice standards and guidelines.

In 2001-2002 the banking sector, through a collaboration of the ABA and HREOC, developed and adopted four voluntary Industry Standards relating to the accessibility of four electronic banking channels: Automated Teller Machines (ATMs), Electronic Funds Transfer at the Point of Sale (EFTPOS), telephone and Internet banking. Those standards specified technical requirements, as well as performance measures, to ensure the accessibility of electronic banking services in Australia to people with disabilities and older people.

In the last few years, incidences of security breaches and banking fraud have raised security concerns, leading to many financial institutions considering a variety of stronger authentication and security measures in order to manage this risk.

In 2006, the ABA established the Accessible Authentication Working Group (AAWG), with representatives from ABA member banks, Abacus Australian Mutuals, HREOC and disability groups, to identify impediments caused by the implementation of authentication technologies for people with a disability and older people. The Guiding Principles were developed reflecting input from AAWG members and broader consultation. 

The Guiding Principles provide a set of guidelines for the design, deployment and operation of user authentication technologies. Adoption of common standards and guidelines by all Australian financial services providers will promote the confidence of users in online services and improve the accessibility of retail banking and finance.

In preparing the Guiding Principles, the AAWG have reviewed literature on concepts relating to accessibility. In some instances, to ensure consistency, phrasing and terminology has sometimes been borrowed as a starting point for the Guiding Principles.

1. Introduction

The consultation draft Guiding Principles have been developed by the Accessible Authentication Working Group (AAWG) comprising representatives from the ABA, ABA member banks and Abacus Australian Mutuals, along with representatives from HREOC and disability communities. The general community is also being consulted.

The consultation draft Guiding Principles were funded and developed under the sponsorship of the ABA. The ABA appreciates and acknowledges the input and assistance provided by HREOC, financial institutions, and organisations representing people with disabilities.

In formulating the consultation draft Guiding Principles, the AAWG has sought to incorporate the best information and guidance from available sources, as well as new research on emerging technologies.

The following now refers to the "Guiding Principles". However, we note that the Guiding Principles at this stage are a consultation draft and therefore Appendix 2 does not necessarily constitute a formal stance of the ABA or its member banks.

1.1 Disclaimer

The Guiding Principles are based on information about the design, deployment and operation of authentication solutions available at the time they were developed. Future versions of the document will endeavour to incorporate the latest research.

There are many liability and other legal issues relating to matters covered in the Guiding Principles, the resolution of which falls outside the scope of the document. These include:

• Conditions of use (e.g. proxy relationships, determinations of breaches)
• PIN entry (e.g. inability to enter PIN, PIN replacing signature)
• PIN disclosure
• Electronic signatures
• Disclosure of user IDs and passwords
• Strategies for avoiding fraud
• Compliance with the Commonwealth Privacy Act 1988

The Guiding Principles should not be relied upon as a substitute for professional advice in complying with the law, and should be implemented only after relevant professional advice has been obtained.

The ABA, HREOC, and all other parties associated with the publication of this document, have made every effort to ensure the accuracy of information, but accept no responsibility for any loss or damage occasioned by any party in its seeking to implement any provision of the Guiding Principles.

As material in this document was both developed by the AAWG and drawn from a number of other sources, it must only be reproduced with permission from the ABA and attribution to the ABA. If material is referred to by other people or organisations, attribution must be made to the ABA.

2 Disability Discrimination Act 1992

The Disability Discrimination Act 1992 ("DDA") makes it unlawful to discriminate against a person on the grounds of a disability. The objects of the DDA include eliminating, as far as possible, discrimination against people with disabilities and promoting recognition and acceptance within the community that people with disabilities have the same fundamental rights as the rest of the community.

Section 4 of the DDA defines disability in relation to a person as:

• (a) total or partial loss of the person's bodily or mental functions; or
• (b) total or partial loss of a part of the body; or
• (c) the presence in the body of organisms causing disease or illness; or
• (d) the presence in the body of organisms capable of causing disease or illness; or
• (e) the malfunction, malformation or disfigurement of a part of the person's body; or
• (f) a disorder or malfunction that results in the person learning differently from a person without the disorder or malfunction; or
• (g) a disorder, illness or disease that affects a person's thought processes, perception of reality, emotions or judgment or that results in disturbed behaviour;
• and includes a disability that:
• (h) presently exists; or
• (i) previously existed but no longer exists; or
• (j) may exist in the future; or
• (k) is imputed to a person.

The law is administered by HREOC and sets out specific areas in which it is unlawful to discriminate. These areas include accommodation, employment, access to premises, and the provision of goods, services and facilities.

Section 4 of the DDA defines a service as relating to, amongst other things, banking, insurance, superannuation and the provision of grants, loans, credit or finance, and including financial and information services provided, for example, through websites, telephones, ATMs and EFTPOS.

However, the DDA recognises that in certain circumstances, providing equitable access for people with disabilities could cause 'unjustifiable hardship' for an individual or organisation providing goods or services.

2.1 Human Rights and Equal Opportunity Commission³

The Human Rights and Equal Opportunity Commission (HREOC) administers federal legislation in the area of human rights, anti-discrimination and social justice. This includes complaints handling, public inquiries, policy development and education and training.

Where a person with a disability believes they have been discriminated against, they can complain to HREOC who will investigate the complaint and, where appropriate, attempt to conciliate a solution between the two parties. Where conciliation is not possible the complainant may take their complaint to the Federal Court or Federal Magistrates Court who have the authority to determine whether unlawful discrimination has occurred and what constitutes 'unjustifiable hardship'.

HREOC also has a role in assisting organisations understand their responsibilities and supporting initiatives aimed at promoting compliance through best practice. While the Guiding Principles have no force in law, HREOC has supported their development in the hope that they will provide a level of access consistent with the requirements of the DDA.

3. Key definitions

3.1 Authentication

There is an accelerating trend, both in Australia and overseas, to move beyond conventional single-factor methods, such as online usage of a user ID and password, for the purposes of verifying a customer's identity.

'User authentication' is confirmation of the identity of the user, or party authorised to communicate with a computer or computer program, or with another user.

User authentication can be performed either at the session level or transaction level, or both. Session level authentication allows the authenticated user to perform one or more transactions within a given session without the need for further authentication. Transaction level authentication requires a session authenticated user to undergo stronger authentication for each transaction in the session, in order to lower the security risk.

'Stronger authentication' refers to any authentication strategies considered stronger than conventional single-factor authentication, such as two-factor, multi-factor, strengthened single factor and anti-keylogging strategies.

Existing authentication methodologies involve three basic "factors":

• 1st Factor: something the user 'knows' (e.g., password, PIN). The first level of authentication consists of a minimum of two or more methods, where at least one of these factors is considered a 'shared secret';
• 2nd Factor: something the user 'has' (e.g., ATM card, smart card). The second level of authentication consists of 1st factor and one or more methods involving a 'device';
• 3rd Factor: something the user 'is', or a behavioural characteristic (e.g., a biometric characteristic, such as a fingerprint or hand-writing or keyboarding patterns). The third level of authentication consists of 1st factor or 2nd factor and one or more methods involving a 'characteristic'.

For example, the use of a user ID and password is single-factor authentication (i.e., relying on 1st factor credentials something the user knows); whereas, an ATM transaction requires two-factor authentication, being both 2nd factor something the user possesses (i.e., the ATM card) combined with 1st factor something the user knows (i.e., PIN).

A multi-factor authentication methodology may also include "out-of-band" controls for risk mitigation. Use of SMS-password or tokens are examples of an out-of-band strategy, because the information is conveyed to the user via a different channel to the channel being used for online banking.

3.1.1 Two-Way Authentication

In addition to a financial institution seeking to reliably identify and authenticate the customer, increasingly there are situations where a financial institution also needs to authenticate itself to the customer, or the customer's computing environment, in order to minimise incidences of 'phishing' and other account hijacking attacks.

This may be through the use of some kind of public key infrastructure, or it may be via a shared secret approach. For example, during enrolment/registration, the customer may have selected an image from a gallery, which is presented to the customer to 'prove' that it is the real banking service the user is connecting to.

Use of images in this way could lead to access problems for people with vision impairments, unless those images used are clearly labeled with alt-text, etc.  Alternatively, a gallery of sounds or musical samples could also be employed to address the visual-centric nature of shared secrets for two-way authentication.

3.2 Other terms used in the Guiding Principles

See glossary at the back of this document for other terms used in the Guiding Principles.

4. Scope of the Guiding Principles

The Guiding Principles relate to deployments of user authentication technologies and approaches across electronic and face-to-face banking channels, with particular relevance for Internet banking. However, financial institutions may consider how the Guiding Principles could relate to their broader service commitments on accessible banking.

The Guiding Principles are intended for use by developers, suppliers, designers and users of authentication technologies. They are not intended to prevent the use of authentication technologies.

4.1 Transactions

The Guiding Principles focus on access to customer registration, login and transactional banking services and associated applications. 

Examples of transactions covered include, but are not limited to:

• Service registration
• Balance enquiry
• Statement viewing
• Transfer between accounts
• Bill pay
• Third party funds transfer
• Cash withdrawal
• Reviewing and updating investments and portfolios
• Online loan applications
• Interactive financial calculations performed online.

The Guiding Principles will also apply to related services such as accessing documentation and information as well as account aggregation tools.

4.2 Dependencies

A range of factors can impact the effective accessibility and usability of services including:

• (a) (for the financial institution) choice of authentication solutions, web development tools, expectation of minimum hardware/browser technology used by customer, reliance on scripting and applet technologies, flexibility of security protocols in place;
• (b) (for the customer) level of experience with web-based technologies, platforms/operating systems selected, brand and version of assistive technologies (screen readers, print enlargers, etc), firewalls and quality of telecommunications lines and other factors.

5. Adoption of the Guiding Principles

The Guiding Principles do not have the force of law, and adopting them does not guarantee fulfillment of legal responsibilities under the DDA, nor does it remove from any financial institution their obligation to comply with the requirements of that Act or any other relevant legislation.

The Guiding Principles have been developed in consultation with interested parties, including HREOC, with the objective of describing best endeavours in authentication accessibility. An organisation choosing to adopt the Guiding Principles may therefore have some confidence that they are implementing requirements which have evolved from community consultation with interested parties. 

While the Guiding Principles are voluntary industry guidelines they are aimed at assisting financial institutions to develop the most accessible authentication systems possible. It is intended that adoption and implementation of the Guiding Principles will significantly reduce the likelihood of successful complaints of discrimination.  

Where a financial institution commits to implementing the Guiding Principles any individual or group may monitor implementation. Any individual or group covered by the DDA retains the right to lodge complaints with HREOC for perceived breaches of the DDA.

5.1 Compliance with other access standards

Financial institutions should also refer to the ABA's voluntary Industry Standards on electronic banking and any relevant Australian and Australia/New Zealand Standards.

Banks and financial institutions should consult the ABA's voluntary Industry Standards on Accessibility of Electronic Banking for more detailed guidance.
See http://www.bankers.asn.au/Default.aspx?FolderID=105

Banks and financial institutions should also consider HREOC's World Wide Web Access: Disability Discrimination Act Advisory Notes. Version 3.2. 
See http://www.hreoc.gov.au/disability_rights/standards/www_3/www_3.html

Websites should meet the W3C WCAG V1.0 standards, as far as reasonably practicable. See http://www.w3.org/TR/WCAG10/full-checklist.html. 

6. Version Control

Other documents may supersede this document. The latest status of this document series is maintained at the ABA.

It is the intention of the banking and finance sector to continue to work with service providers and manufacturers to further improve the accessibility of user authentication solutions.

The ABA will continue to keep the Guiding Principles current and technically valid in so far as is practicable. A detailed list of changes to the Guiding Principles will be maintained at the ABA.

7. Explanatory Guidance

The Explanatory Guidance follows the same structure as the Guiding Principles and is intended to assist financial institutions that choose to adopt the voluntary Guiding Principles. The Explanatory Guidance does not set out any requirements to be met by financial institutions.

7.1 Design

Principle 1: User convenience

All users should be able to undertake their personal and business financial activities conveniently and safely.

Authentication technologies should be designed so that the widest possible range of users can use the technology effectively and conveniently. Authentication solutions should be as user-friendly and accessible as possible.

All users benefit from assistive and universal designs. However, it is important to understand the diversity of problems, tools and abilities of all users, especially those users with disabilities or older users who may find it particularly different to access banking services where authentication technologies are employed.

As consistent with W3C/WAI, to promote user convenience:

• Content must be perceivable: For example, provide text alternatives for all non-text content and make it easy to distinguish foreground information from its background.
• Interface components in the content need to be operable: For example, make all functionality operable via a keyboard interface; allow users to control time limits on their reading or interaction or allow users to extend a session that is about to time out; and help users avoid mistakes and make it easy to correct mistakes that do occur.
• Content and controls must be understandable: For example, make text content readable and in plain English.
• Content should be robust enough to work with current and future users, including assistive technologies: For example, ensure that content is accessible or provide an accessible alternative.

Financial institutions should take every effort to support the widest possible range of users. Beginning with their own organisations, financial institutions should work towards consistency of Internet-related terminology, concepts and processes, with the following objectives:

• (a) consistency of standard transactions across financial institutions, for example, by agreeing on order of fields in funds transfer forms, BPAY forms, etc;
• (b) consistency on terminology for user name, password, receipt number, etc.

Experience has shown that consistent and predictable human interfaces benefit users. The benefits can include faster learning, greater productivity, fewer errors and greater satisfaction. Consistent interfaces also benefit the industry by promoting greater acceptance of products and services.

The following notes from W3C/WAI should also be considered:

"Provide consistent and predictable responses to user actions within the online service. Make interactions consistent, both throughout the site and with commonly used interaction metaphors used throughout the Web. For example, similar layout for user interface components is used throughout your site, similar user interface components are labelled with similar terminology, controls that look the same are designed to act the same, operating system, language, or application conventions likely to be familiar to the user have been followed, unusual user interface features or behaviors that are likely to confuse the first-time user are documented.

Providing responses to user actions is important feedback for the user. This lets them know that your site is working properly and encourages them to keep interacting. When the user receives an unexpected response, they might think something is wrong or broken. Some people might get so confused they will not be able to use your site."

Financial institutions should provide information to customers on user requirements, and alternatives available for those users unable to meet the requirements.

Financial institutions should also ensure they comply with the W3C/WAI guidelines.

Principle 2: Authentication planning

Financial institutions should consider the accessibility and usability needs of users with disabilities and older users as part of authentication technology planning.

Financial institutions should consider the usability needs of people with disabilities and older people in the design of authentication technologies. When planning to implement authentication technologies, financial institutions should consider how the authentication technologies they employ may impact all users. By taking into account the needs of users and the environments in which they work, authentication technologies can both enhance security and provide convenient access. For example, accessibility considerations could be part of any internal check-lists used by financial institutions when assessing, developing or modifying authentication technologies.

Financial institutions should consider the accessibility implications and processes for stronger authentication. There are three phases involved in stronger authentication approaches. 

• Enrolment - Setting up the technology, registering the customer, taking necessary details or measurements, issuing devices/passwords etc.
  If a biometric system is used, enrolment involves taking a baseline biometric measure. Usually, this would be done with a special biometric terminal, which should be staffed by qualified personnel. Those personnel should be trained in the necessary skills to assist a person with a disability to successfully provide the biometric measure or measures.
• Authentication - Identity of the person is validated and verified to a satisfactory degree, based on the information and credentials being supplied by the user.
• Authorisation - Once the authentication has been done, the customer is then allowed access to those services and information which they are authorised to access.

Some key points to consider when ensuring maximum flexibility for financial institutions and users include:

• Authentication management - roles and responsibilities will most likely spread across business units; for example, authentication policies and procedures, user enrolment, applications and networks and so on. It is important that deployment of user authentication technologies is effectively managed.
• Authentication practices - existing practices and user privileges should be accommodated. Balancing security, usability and practicality will assist in adoption of new technologies. It is important for financial institutions to maintain flexibility to support multiple users without incurring undue cost.
• Authentication integration - a review of users, applications and environments when introducing new system requirements should be conducted. It is important to reduce unnecessary or costly system integrations later.
• Technology neutrality - as far as possible, authentication architecture should be interoperable with different applications and/or devices. It is important for users to maintain autonomy in selecting technology or applications to access Internet banking services.

Financial institutions should ensure that authentication technologies do not impede their ability to meet standards on accessibility of electronic banking. The ABA's voluntary Industry Standards on Accessibility of Electronic Banking should be consulted for more detailed guidance.

Principle 3: Authentication testing

Financial institutions should consult users with disabilities and older users as part of planning and testing accessibility and usability of authentication technologies.

During design, and prior to implementation, financial institutions should test accessibility of their authentication technologies, including all elements of the interface, with users representing a range of capabilities and limitations (such as, in respect of visual, auditory, physical, cognitive and behavioural ability). 

Financial institutions should test accessibility of their authentication technologies through user accessibility trials. Trials should involve users with a range of capabilities and limitations and of varying ages. For example, a representative panel of end-users covering a range of users, including users with disabilities, could be engaged to identify potential authentication issues.

Organisations that may assist in identifying potential end users to be engaged in testing can be found at the HREOC website under the heading 'Peak/major organisations' at www.humanrights.gov.au/disability_rights/links/links.html#community.

There are significant benefits to consulting with users from the beginning of the project (for example through focus groups at the initial planning stages) and at key stages within the project. Feedback from users can then be incorporated into the business rules and user requirements that create a framework for the development of technical and design specifications. This may help minimise accessibility problems after implementation.

Financial institutions should test their authentication technologies with adaptive technology, such as screen readers, screen enlargers and speech recognition software. Testing should be conducted using various web browsers to ensure wide usability.

It is also important that accessibility issues are considered prior to testing for wider usability. Decisions concerning accessibility are unlikely to adversely affect overall usability; in fact, they often enhance usability for all customers. However, if changes are made for accessibility then the revised design may need to be tested again for general acceptance.

A range of semi-automated testing tools is listed by the WAI Evaluation and Repair working group at http://www.w3.org/WAI/ER/existingtools.html.

Principle 4: Registration, login and transaction procedures

Financial institutions should ensure, as far as possible, that registration, login and transaction procedures are accessible to all users.

Authentication procedures required for registration, login and transactions should, as far as possible, be able to be operated by customers who use alternative input support equipment to assist accessing technology, such as screen reading or speech recognition software for Internet banking. As far as possible, implementation of stronger authentication should not substantially compromise convenience of registration, login and transaction procedures.

Users should, as far as possible, be able to use a keyboard alternative. Subject to identification and security requirements, the user should be able to register for an Internet banking service online or by using the telephone or TTY, and without completing printed forms.

Financial institutions should, subject to identification and security requirements, accept the registration of a customer to an Internet banking service when the registration request is received either directly via a telephone or TTY, or indirectly through a telephone relay service. For this to occur, a process may need to be put in place for disclosure of confidential information as an individual arrangement as an exception to standard business rules.

Financial institutions should follow the guidance recommendations on account and service registration found in section 11.4.1 of the ABA's voluntary Industry Standards on Internet Banking.

Financial institutions should also ensure that they comply with the W3C's Web Content Accessibility Guidelines or equivalent best practice in web accessibility endorsed in Australia.

Principle 5: Messages and error recovery

Financial institutions should, as far as possible, ensure that online messages are unambiguous and written in plain English and that error recovery processes are efficient.

As far as possible, users should be provided with the opportunity to recover from their most recent error without being required to re-enter correct information. In addition, as far as possible, users should be provided with the opportunity to cancel transactions and/or change data and information that has been entered during a session without having to cancel the session and re-commence. Where it is not possible to recover from an error, for example, after submitting and confirming a payment, financial institutions should provide 'confirmation screens' for users to check transaction details before submitting payments.

Within a given session, unless information re-entry is required for reasons of privacy, security or verification, the user should not be required to enter any given piece of information more than once. The number of key presses or mouse clicks required of the user should be minimised.

Redundancy of information across more than one sensory channel should be provided, and will assist users with sensory disabilities as well as users of personal/mobile technologies. For example, video clips should contain audio descriptions for blind users and text captions for deaf users. 

Audible bells and alarms from the computer should also be represented visually.

Pictures, tables, flow charts and other visual information should be described or summarised in textual form for those who cannot see them and for those who do not have graphical capabilities readily available.

When live streaming is used, text script should be provided as soon as possible following the event.

Users should have access to 'Help' functionality to assist in identifying and fixing connectivity problems. Ideally, financial institutions should provide online access to assist on common error messages, perhaps in the form of accessible FAQs. Help desk should also be available to assist customers in accessing their banking services.

Financial institutions should ensure that error messages that may be generated when authentication technologies are used avoid words such as "wrong", "illegal", "fatal" and "critical", as these may cause undue concern or alarm for some users. For example, some users, particularly those with intellectual disabilities or cognitive impairments, may find it difficult to comprehend some online messages. Messages should be unambiguous and written in plan English.

7.2 Implementation

Principle 6: Equivalent access

Financial institutions should ensure that any human-based alternative authentication systems provide, as far as possible, equivalent amenity and convenience.

Financial institutions should make efforts to ensure that all authentication technologies are as accessible as possible to all users. Authentication technologies should support the widest possible range of users, including people with disabilities, without the need to develop alternative or 'fall-back' modes of access.

However, even after significant efforts have been made to maximise the range of people who can use an authentication technology, there will still likely be some users who are unable to either use the technology reliably or effectively or who are unable to use it at all. These users still need to be verified in some way to be able to perform their financial activities.

A human customer service agent is usually the most effective and convenient solution. Accessing the alternative channel should be convenient for the user and should be provided at no extra cost to the user who is unable to use an authentication technology.

People who may not be able to use an authentication technology might be users who either have extreme difficulties in one particular area or who have multiple disabilities so that no combination of the accessibility features meets their needs. For example, a person who is both deaf and blind is unable to hear the information in spoken form and is unable to read the authentication information visually. Such a person may need to interact with a staff member via TTY or through the National Relay Service. Some people may have motor skill difficulties which make inputting data difficult in the prescribed time period. Similarly, they may be better served by a human agent.

If a user is unable to use an electronic banking channel there should be a means by which the person can gain equivalent access, such as equivalent funds transfer limits. This may be via automated telephone banking, or it may be necessary for the person to speak to a human agent to enable them to transfer the required amount. For example, financial institutions could consider making available a human agent 24 hours a day, 7 days a week, or at least for extended business hours.

Providing a human customer service agent can also assist in instances where a person can access the technology, but is encountering confusion or difficulties.
A human agent is better placed to interpret and suggest remedies to such a user, than is an automated service. A human agent also provides a friendly 'face' to the financial institution, particularly when new authentication technologies are being deployed.

The process by which a user is authorised to work with a human customer service agent needs to be straight forward and convenient. For example, if forms need to be completed, these forms need to be available in accessible formats. 

Some authentication technologies rely on the user being able to see a display, whereas others may offer possibilities for information to be spoken. Biometric authentication solutions may rely on the person possessing a particular attribute or capability, and therefore will exclude people who are unable to meet the necessary physical requirements. Financial institutions should consider providing a choice of authentication technologies to maximise the number of people who can independently use the authentication technology and access their banking services.

Providing more than one authentication system, such as a variety of tokens (large screen and/or audio), SMS messages, shared secrets and so on, gives choice and broadens the likelihood that a person can use one of the available authentication approaches.

Financial institutions should provide efficient re-enrollment. If a user can no longer use an authentication or biometric system reliably, the user should be provided, wherever feasible, with the opportunity to repeat the registration or enrollment process. For example, this could happen if the person has an accident, or if their biological attributes change for some reason.

To facilitate equivalent access, individual arrangements may need to be accommodated in business rules. For example, business rules may need to be adapted to ensure that people who are communicating with the financial institution via the National Relay Service (which uses a human to intermediate between the customer and the financial institution) are provided with equivalent services. The ABA's voluntary Industry Standard on Internet Banking should be consulted for more detailed guidance.

Principle 7: Staff awareness

Financial institutions should provide their relevant customer support staff with appropriate disability awareness training so they are aware of the needs of customers with disabilities or older customers.

Relevant staff whose primary role is to provide customer support services should be provided with appropriate awareness training to understand that some users may use accessibility technologies, such as screen readers and speech recognition software, to assist them in accessing electronic banking.

Managers, supervisors and senior staff in branch, call centre customer service and help desk functions should be provided with appropriate awareness training in the combination of authentication and access technologies and in understanding how people with disabilities access online services. For example, financial institutions could consider making available a staff member with superior knowledge and skills in dealing with customers with a disability or older customers in a branch, call centre customer service or help desk function.

Financial institutions should provide relevant branch, call centre customer service and help desk staff with appropriate training in providing support for users of authentication.

Some topics could include:

• Basic facts about people with disabilities and access to online services;
• Information about tools and equipment that may be used to read information, such as screen readers;
• Information about different formats and how the organisation is using different formats for people with disabilities, such as Braille statements; and
• Identification of appropriate induction and ongoing training areas where face-to-face and e-learning about accessibility of banking can be incorporated.

Financial institutions should consider providing all staff with training regarding awareness of the needs and diversity of people with disabilities and older people as part of staff induction training and ongoing workplace diversity programs.

Web developers should receive training and guidance in developing accessible websites and in understanding how people with disabilities access online services, so that they can develop appropriate strategies for authentication and broader accessibility of Internet banking websites.

Staff who are employed to assist users and operate biometric terminals or support systems which employ authentication technologies should be trained in how to assist and support users with disabilities and older users.

Principle 8: User training

Financial institutions should provide users with training in the use of authentication technologies available.

Financial institutions should provide access to appropriate learning opportunities as part of eliminating the 'Digital Divide'. User training will ensure that all users are able to efficiently access and operate authentication and other operations. Training should be developed taking into account all users needs, including the needs of customers with a range of capabilities and limitations.

Financial institutions should make available training in the use of authentication technologies specifically designed to meet the needs of users with disabilities and older users. For example, financial institutions could provide training through a range of methods, such as web-based, DVD/CD-rom, over the telephone or face-to-face.

Where financial institutions provide face-to-face training, this should be developed and conducted by suitably trained staff, or could be offered by arrangement with a registered training authority with experience in training people with disabilities.

Where financial institutions provide customer training over the telephone, training staff should be capable of providing support to people with disabilities and older people. 

Financial institutions may provide user training via DVD/CD-rom or web-based formats. It is important that user training is accessible for people with disabilities and older people.

Some areas to cover in training modules could include:

• Practice Option: Each site should have a practice section, where people can perform practice logon and trial transactions to safely explore and master the service, without risking funds To ensure accessibility, the practice facility should provide a substantially similar customer experience and should give feedback on the success or otherwise of the practice transaction. Such feedback should also include suggestions on error correction.
• Accessible Online Tutorials: Users may benefit from accessible online tutorials for a site or feature. To ensure accessibility, tutorials should be developed using the same technologies as for the actual service.

7.3 Communication

Principle 9: Raising staff and business awareness

Financial institutions should develop a strategy for enabling relevant management and staff awareness of these Guiding Principles.

It is important for there to be relevant management and staff awareness of the diversity of their customer base and accessibility principles.

Financial institutions should ensure relevant management and staff have a broad awareness of the diversity of their customer base and accessibility issues. Financial institutions should raise awareness of these Guiding Principles with relevant senior staff, such as staff involved in the development of policies, procedures and practices.

Financial institutions should advocate and raise awareness of accessibility issues within the financial institution as well as with their business and e-commerce partners who may be evaluating and deploying stronger authentication technologies, including where appropriate, making them aware of the existence of these Guiding Principles.

Principle 10: Raising user awareness

Financial institutions should promote the availability of alternative accessible authentication technologies.

It is important for there to be broad customer awareness of the financial institution's commitment to accessibility principles.

Financial institutions should promote the availability of alternative accessible options to help users with disabilities and older users to become aware of those alternatives. For example, if tokens are deployed, users may be unaware that voice-output tokens can be issued to users who are unable to read the display on the standard-issue token devices.

Financial institutions should ensure that customers and relevant staff are aware that, as a 'fall-back', a reasonably equivalent human-based alternative, such as the National Relay Service, should be available to assist people with a disability and older people to conduct their banking transactions.

Financial institutions should refer to these Guiding Principles in relevant customer information. It is suggested that financial institutions make available dedicated sources and formats of information for customers with disabilities so that they have clear information on how to access their banking services.

Some topics could include:

• Accessible Downloadable Site Documentation: To assist new users, downloadable documentation and quick reference cards for the site should be available, and kept up-to-date when site structure is altered. These materials should be available in accessible formats.
• Provision of Information: All text-based information, including terms and conditions and policy documents, shall be in plain English and available in accessible formats.
• Auslan: Financial institutions may wish to incorporate Auslan video clips to inform and assist deaf users who employ Australian Sign Language (Auslan).

For further information, see the ABA's voluntary Industry Standards on Accessibility of Electronic Banking.

7.4 Operation

Principle 11: Confidentiality of user information

Financial institutions should ensure the confidentiality of information of users with disabilities.

The rights of privacy of users with disabilities and older users should be recognised and respected, and financial institutions must comply with any relevant privacy legislation.

It is important for financial institutions to know their customer. To assist financial institutions understand the needs of their customers, with the consent of the customer, a financial institution should appropriately store the access preferences of customers. For example, a financial institution should appropriately store details of a user's disabilities or access needs in relation to using authentication technologies, including whether the user is eligible to conduct banking via a human-based alternative.

Some key areas for financial institutions to consider as part of their approaches to collection of customer information include:

• Is personal data collected? If so, what kinds of personal data?
• How is personal data collected? 
• How is personal data stored? 
• For what purposes is personal data used?
• How is personal data controlled? 
• What regulations, standards or guidelines apply to the collection and use of personal data?

Customers should be able to gain access to information about personal data practices without unreasonable effort, including the financial institution's privacy policy. This is consistent with the OECD's Privacy Guidelines.

Financial institutions should consider the implementation of settings profiles for a user, so that preferred settings, such as screen colour, font style and size, text or graphics layout, audio settings and other parameters, are linked to an account or user identification number. User profiles should include preferred methods of authentication.

Some benefits to keeping details of customer preferences include:

• Keeping a record of the user's preference of authentication technology;
• Facilitating automatic selection of authentication (e.g. shared secrets in place of token devices);
• Keeping a record that the user may be using a screen reader, or other assistive technology, which may assist human agents in better understanding and addressing user inquiries and requests; and
• Providing statements and correspondence in a format that is accessible to the user (e.g. Braille, email, large print).

Financial institutions may need to develop individual arrangements and contracts to support deaf, hearing or speech-impaired users conducting their banking via the National Relay Service, since this means that an intermediary or third party is involved in the transaction process. This should be reflected in business rules.

The privacy of the customer in regards to any information regarding disabilities will be protected in accordance with the National Privacy Principles.

Principle 12: Safety and security of transactions

Financial institutions should ensure customers with disabilities and older customers are not exposed to higher financial risks.

Where a customer with a disability uses an alternative method for accessing their banking services because they are unable to use a particular authentication technology, such customers should not be exposed to any higher level of financial risk. For example, if an alternative authentication technology is used by a customer with a disability, and an unauthorised transaction occurs, the financial institution should respond to the incident in the same way as it would for a customer of the financial institution's standard authentication systems.

No greater costs should be incurred by people with disabilities or older people that are unable to participate in the use of a particular authentication technology; for example, if a customer needs to speak with a human agent, or if they need to use branch services to complete their transactions.

Financial institutions should consider the personal needs and circumstances of their customers. Due to the average lower income of many people with a disability or older people, it should not be assumed that the user has a mobile phone or a computer, and it may be expensive for the customer to travel to branches, such as taxi fares and so on. Financial institutions should be cognisant of this when designing and implementing authentication technologies, or devising alternative ways for people with disabilities and older people to conduct their banking transactions.

8. Glossary

Authentication - the process of validating a user's identity and verifying authority and access privileges.

Biometric authentication - this term refers to technologies that measure and analyse human physical and behavioural characteristics for the purposes of verifying a person's identity. For example, physical characteristics including fingerprints, eye retinas or irises, facial patterns, hand measurements, voice recognition; or behavioural characteristics including signature or typing patterns. Some biometric traits share physical and behavioral aspects.

Internet banking - this includes web content and applications as well as transaction services.

Plain English - language that is written as clearly and simply as is appropriate for the content. Clear and simple writing will aid all users, especially those with cognitive, learning, and/or reading disabilities. This should not discourage the writer from expressing complex or technical ideas. Using clear and simple English also benefits people whose first language is not English, including those people who communicate primarily in sign language.

Screen enlarger - (also termed 'screen magnifier') a piece of software that enables the user to enlarge computer screen print and graphics.  Such software has features including zooming into specific screen content, tracking highlighting and mouse pointers and adjusting on-screen colours to enhance readability.

Screen reader - the term used to describe software designed to "read out" (or present in Braille) the contents of a computer screen for use by a person who is blind, vision impaired or who has a reading disability.  Screen readers are available for MSDOS, Microsoft Windows, the Macintosh and some Unix platforms.  Screen readers usually work hand-in-hand with a speech synthesiser or Braille display device in order to present computer information in an accessible format.

User Interface - the term used to describe the methods by which people and technology interact.  User interface includes the output and input formats that programs generate and recognise.  Depending on the user interface design of equipment, devices and software can be easy, difficult or even impossible for various groups of people with disabilities to access.

W3C - World Wide Web Consortium⁴ - The World Wide Web Consortium (W3C) develops interoperable technologies (specifications, guidelines, software, and tools) to lead the Web to its full potential. The W3C was created in October 1994 to lead the World Wide Web to its full potential by developing common protocols that promote its evolution and ensure its interoperability. Organisations located all over the world and involved in many different fields join W3C to participate in a vendor-neutral forum for the creation of web standards. W3C has earned international recognition for its contributions to the growth of the web.

WAI - Web Accessibility Initiative - a domain of the World Wide Web Consortium (W3C) charged with developing recommendations for accessible web design.  It has several sub-committees that are looking at guidelines for web authors, browser manufacturers and web design and testing tools.

Web Accessibility - a philosophy of website design which endeavours to make a site as easy and effective to access for the widest possible range of potential users, irrespective of their limitations and capabilities, their location, equipment or bandwidth.

Other technical terms to be found in this document conform to W3C usage.  A W3C glossary may be found at http://www.w3.org/TR/WCAG10/ - glossary.

9. References

Documents which have influenced the development of the Guiding Principles include:

• Industry Standards on Accessibility of Electronic Banking. Australian Bankers' Association (2002)
  http://www.bankers.asn.au/Default.aspx?ArticleID=344
• Online Authentication Guidelines. Australian Bankers' Association (2005) (restricted circulation)
• Background Paper: Forging a Balance between Banking Authentication Approaches and Accessibility by People with Disabilities. Tim Noonan Consulting for the ABA (2006) (restricted circulation)
• Universal Design Principles. Centre for Universal Design. http://www.design.ncsu.edu/cud/  
• A Brief Introduction to Disabilities. Trace Centre. University of Wisconsin-Madison. http://trace.wisc.edu/docs/population/populat.htm
• Guidelines for the Design of Consumer Products to Increase Their Accessibility to People with Disabilities or Who Are Aging. Working Graft 1.7 Trace Centre. University of Wisconsin-Madison. (1992)  http://trace.wisc.edu/docs/consumer_product_guidelines/toc.htm
• Working draft of Web Content Accessibility Guidelines (WCAG) 2.0. http://www.w3.org/TR/WCAG20/
• Accessible E-Commerce in Australia:  A discussion paper about the effects of electronic commerce developments on people with disabilities. Blind Citizens Australia (1999) http://www.bca.org.au/ecrep.htm
• Draft guideline for user-friendly payment terminals. Dutch Federation of the Blind and Partially Sighted and the Dutch National forum on the payment system.
• Guidelines for the Design of Accessible Information and Communication Technology Systems. Tiresias.  http://www.tiresias.org/guidelines/index.htm
• An Overview of Smart Card Accessibility. The National Disability Authority (Ireland)
  http://www.nda.ie/cntmgmtnew.nsf/0/A0519A628DAD92A48025715A004A14C0/$File/Draft_Smart_Card_Accessibilty_Overview.doc