In the second quarter of 2011, the Federal Financial Institutions Examination Council (FFIEC) unveiled their long-anticipated updates to their electronic banking authentication guidelines. These updates became necessary because of the rapid adoption of internet and mobile banking services offered from financial institutions large and small to consumers. The document, available here via BankInfoSecurity.com, reinforces the recommendation that financial institutions undergo regular risk assessments periodically and urges increased sophistication in authenticating end-user identities. Most notable in the updated guidance are the recommendations of “layered” authentication methods including out-of-band verification, device recognition, and consumer verification.
Financial institutions have made significant progress since the release of the updated guidance fifteen months ago, according to the FDIC technology supervision branch’s associate director William Henley. In a recent interview with BankInfoSecurity.com, Henley also states that the FDIC is more interested in seeing institutions take the guidance seriously and work towards compliance, or as he puts it, “good-faith efforts.” He says that for the most part, FDIC examiners are seeing those efforts from financial institutions of all sizes.
Throughout New England, GraVoc has noticed similar trends among community banks and credit unions. When it comes to the items recommended in the FFIEC Online Authentication Guidance, practices and controls that were the exception before 2011 have now become the norm. Multifactor authentication, security images, out-of-band challenge questions, and IP recognition are now widely used. As consumers have become extremely comfortable with bringing their financial transactions to the Internet and malicious parties have responded in turn, it is promising to see that financial institutions are taking the necessary steps to protect their customers.