Making the FFIEC Guidance Operational
Report Format: PDF
On Oct. 12, 2005, the agencies of the Federal Financial Institutions Examination Council (FFIEC) published joint guidance entitled Authentication in an Internet Banking Environment, recommending that financial institutions and their application service providers (ASPs) deploy security measures to reliably authenticate their online banking customers. The FFIEC published its guidance after the Federal Deposit Insurance Corporation (FDIC)— one of the five agencies of the FFIEC—had issued similar recommendations in a study on Putting an End to Account-Hijacking Identity Theft of December 2004. Among the measures the FDIC recommended to its member banks in that report was upgrading from single-factor to two-factor authentication for access to online banking. Another related recommendation also was included in the FDIC’s July 2005 Guidance on Mitigating Risks From Spyware. FFIEC’s October 2005 guidance considers single-factor authentication, as the only control mechanism, to be inadequate for online banking. Rather, banks should use authentication (the process of verifying the identity of a person or entity) methods that are both effective and appropriate to the risks associated with online banking. These methods include multifactor authentication, layered security or other controls reasonably calculated to mitigate those risks. It is important to note that the guidance is not a formal regulation; it does not create any legal obligation for banks. It is only a recommendation—strong guidance to be exact. Financial institutions are taking this guidance seriously and implementing it because the guidance comes from not one, but five regulatory agencies of the financial sector, and because the FDIC gave banks a deadline of Dec. 31, 2006 to comply.
Other areas of interest
