Financial services firms get updated authentication guidance

The Federal Financial Institutions Examination Council (FFIEC) recently updated the authentication guidance it provides to financial services firms that conduct online banking services. The supplement is to the Authentication in an Internet Banking Environment guidance issued in October 2005.

This month’s update is designed to reinforce risk-based authentication for customers and covers layered security and other controls designed to mitigate transaction risk. Expert reaction to the guidance’s efficacy has been mixed.

The update emphasizes the importance for organizations to conduct risk assessments and increase end-user awareness of attacker threats — but doesn’t provide any guidance on technologies to use to increase security.

Jacob Jegher, senior analyst at financial services research and consulting firm Celent, wasn’t overly impressed with the update. “I must say that this document doesn’t say much that most banks don’t already know. The wording is vague, open to interpretation, and unclear. It’s a great read for someone who is new to the space that wants to get a high-level overview of some of the challenges banks are facing,” he wrote in his post following the release of the guidance.

Avivah Litan, financial services, authentication, and fraud analyst at Gartner, wasn’t as glum. “The guidance came out and clearly stated that every form of authentication can be defeated. I think banks need to hear this, and the previous version of the guidance was way too focused on authentication techniques,” she said.

Other areas she cited as positive include its advice on updated risk assessments, and what infrastructure and customer changes need to be considered as part of those assessments. The update also called out the need for financial services firms to tightly control and monitor privileged user accounts.

However, Litan argued, the supplement could have been more concrete in its guidance. “The document is very wishy-washy in its wording, with words like “could” and “suggested” used way too often,” she says.

Financial services companies don’t have to rush to implement the guidance. FFIEC agencies will be working with financial institutions with the guidance, and examiners won’t start to formally assess financial institutions until January.

George V. Hulme writes about security and technology from his home in Minneapolis. He is still saving to open his first bank account. He can, however, be found on Twitter as @georgevhulme.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now