FFIEC Authentication Guidance: Final Update Issued

Revises Authentication, Layered Security Expectations
FFIEC Authentication Guidance: Final Update Issued
For all the latest news and views, please visit the FFIEC Authentication Guidance Resource Center.

The Federal Financial Institutions Examination Council has formally released the long-awaited supplement to its "Authentication in an Internet Banking Environment" guidance, which was first issued by the FFIEC in October 2005.

Formal assessments for compliance with the new guidance will begin in January 2012.

The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.

The official supplement highlights the need for:

  • Better risk assessments;
  • Effective strategies for mitigating known online risks;
  • Improved customer and employee fraud awareness. [See FFIEC Guidance: Focus on Awareness.]

The industry has been anxiously awaiting the publication of these directives since last December, when expected updates to FFIEC's 2005 guidance were inadvertently released by the National Credit Union Administration. [See NCUA Disclosed FFIEC Draft.]

Industry experts have shared their likes and dislikes about the drafted guidance, and many have speculated about when the official guidance would be published. [See the FFIEC Resource Center for more information.]

George Tubin, a senior research director for TowerGroup who's been actively involved with reviews of the FFIEC guidance, says the official supplement differs on a few points from the December draft. "I think they cut back on a few things," such as including multifactor authentication requirements for retail and commercial banking in the same category.

"It appears to now be based on the risk profile, more strongly worded for commercial customers," Tubin says.

In a news release about the official update, the FFIEC says growing sophistication of online threats have increased risks for financial institutions and their customers. "Customers and financial institutions have experienced substantial losses from online account takeovers," the FFIEC states. "Effective security is essential for financial institutions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer information, and promote the legal enforceability of financial institutions' electronic agreements and transactions."

The FFIEC says it will continue to work closely with financial institutions to promote security in electronic banking. Examiners have been directed to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012.

The FFIEC is made up of the following regulatory agencies: the NCUA, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.