Making the FFIEC Guidance Operational

  • Report Format: PDF

On Oct. 12, 2005, the agencies of the Federal Financial Institutions Examination Council
(FFIEC) published joint guidance entitled Authentication in an Internet Banking
Environment, recommending that financial institutions and their application service providers
(ASPs) deploy security measures to reliably authenticate their online banking customers.
The FFIEC published its guidance after the Federal Deposit Insurance Corporation (FDIC)—
one of the five agencies of the FFIEC—had issued similar recommendations in a study on
Putting an End to Account-Hijacking Identity Theft of December 2004. Among the measures
the FDIC recommended to its member banks in that report was upgrading from single-factor
to two-factor authentication for access to online banking. Another related recommendation
also was included in the FDIC’s July 2005 Guidance on Mitigating Risks From Spyware.
FFIEC’s October 2005 guidance considers single-factor authentication, as the only control
mechanism, to be inadequate for online banking. Rather, banks should use authentication
(the process of verifying the identity of a person or entity) methods that are both effective
and appropriate to the risks associated with online banking. These methods include multifactor
authentication, layered security or other controls reasonably calculated to mitigate
those risks.
It is important to note that the guidance is not a formal regulation; it does not create any
legal obligation for banks. It is only a recommendation—strong guidance to be exact.
Financial institutions are taking this guidance seriously and implementing it because the
guidance comes from not one, but five regulatory agencies of the financial sector, and
because the FDIC gave banks a deadline of Dec. 31, 2006 to comply.

White Papers by Department


Marketplace