A multi-agency U.S. federal advisory body with broad regulatory powers over banks Tuesday issued new guidelines aimed at improving security in Internet-based banking and financial services.
The Federal Financial Institutions Examination Council (FFIEC) updated its guidance for how financial institutions should plan to authenticate customers’ online identities by the end of next year. The FFIEC said authentication of a customer via simple password and ID alone is inadequate for high-risk transactions involving access to customer information or the movement of funds to other partners.
The guidelines, entitled Authentication in an Internet Banking Environment, http://www.FFIEC.gov replaces a guidance document issued in 2001, Authentication in an Electronic Banking Environment.
The Washington, D.C.-based FFIEC is composed of member agencies that include the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp., the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, along with five representatives from state regulatory agencies.
The FFIEC claims to not endorse any particular technology in its new guidance, which simply emphasizes that the authentication techniques employed by the financial institution should be appropriate to the risks associated with their products and services.
The FFIEC document does provide basic descriptions of several technologies, including digital certificates, smart cards, one-time passwords, USB plug-ins, and biometric identification methods, among others.
The new guidance document, which the FFIEC says it issued due to concerns about phishing, identity theft and online fraud, indicates the FFIEC expects to see stronger authentication methods in place next year.
At the same time, the FFIEC also notes the impact of catastrophic events, such as that caused by hurricanes, could affect the ability of some financial institutions to conform to the guidance within the specified timeframe. In some instances, affected financial institutions would be afforded an extension if circumstances warrant, the FFIEC said.
By Ellen Messmer - Network World (US online)