• United States



Financial Institutions Falling Short on FFIEC Compliance

Jun 06, 20072 mins
Data and Information SecurityIT LeadershipPhysical Security

In October of 2005, the Federal Financial Institutions Examination Council (FFIEC) issued a guidance, entitled “Authentication in an Internet Banking Environment.” 

The guidance is available here. This was an update to a guidance issued several years earlier on the same topic.  Those of you working in the financial services industry should be well familiar with the contents of this document. 

In summary, it states that single-factor authentication is no longer adequate for many online banking transactions.  The FFIEC set a goal for banks that by the end of last year they assess their online banking sites and, where appropriate for the risk involved, deploy a strong authentication solution (e.g., multifactor authentication).  Well, 2006 has come and gone and many institutions are still scrambling to implement strong authentication on their systems. 

The point of this entry is not to criticize those financial institutions that have yet to implement such solutions, but to ask the question why other industries are not more quickly following suit.  Strong authentication makes sense for any company that is committed to protecting the sensitive information entrusted to them by their customers.  While strong authentication technologies have been widely available for some time, I see little appetite on the part of many online retailers and others to implement those solutions. The reason often given is consumer impact:  placing friction on the ability of a customer to quickly access the sites and make a purchase.  To my mind, this concern is greatly diminished by the technologies now available to address this issue. 

Phishing and identity theft are rampant.  Responsible businesses who are really interested in reducing the problem need to start looking at these technologies, yesterday.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author