The Federal Financial Institutions Examination Council (FFIEC) recently updated the authentication guidance it provides to financial services firms that conduct online banking services. The supplement is to the Authentication in an Internet Banking Environment guidance issued in October 2005.
This month’s update is designed to reinforce risk-based authentication for customers and covers layered security and other controls designed to mitigate transaction risk. Expert reaction to the guidance’s efficacy has been mixed.
The update emphasizes the importance for organizations to conduct risk assessments and increase end-user awareness of attacker threats — but doesn’t provide any guidance on technologies to use to increase security.
Jacob Jegher, senior analyst at financial services research and consulting firm Celent, wasn’t overly impressed with the update. “I must say that this document doesn’t say much that most banks don’t already know. The wording is vague, open to interpretation, and unclear. It’s a great read for someone who is new to the space that wants to get a high-level overview of some of the challenges banks are facing,” he wrote in his post following the release of the guidance.
Avivah Litan, financial services, authentication, and fraud analyst at Gartner, wasn’t as glum. “The guidance came out and clearly stated that every form of authentication can be defeated. I think banks need to hear this, and the previous version of the guidance was way too focused on authentication techniques,” she said.
Other areas she cited as positive include its advice on updated risk assessments, and what infrastructure and customer changes need to be considered as part of those assessments. The update also called out the need for financial services firms to tightly control and monitor privileged user accounts.
However, Litan argued, the supplement could have been more concrete in its guidance. “The document is very wishy-washy in its wording, with words like “could” and “suggested” used way too often,” she says.
Financial services companies don’t have to rush to implement the guidance. FFIEC agencies will be working with financial institutions with the guidance, and examiners won’t start to formally assess financial institutions until January.
George V. Hulme writes about security and technology from his home in Minneapolis. He is still saving to open his first bank account. He can, however, be found on Twitter as @georgevhulme.