The Federal Financial Institutions Examination Council (FFIEC) has issued a Supplement to the 2005 Authentication in an Internet Banking Environment Guidance. http://www.fdic.gov/news/news/press/2011/pr11111a.pdf According to the FFIEC, the Supplement was issued to "reinforce the Guidance’s risk management framework and update the Agencies’ expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment."
The Supplement reiterates the expectations of the 2005 Guidance and establishes "minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment." The Supplement also identifies "specific minimum elements that should be part of an institution’s customer awareness and education program."
The Supplement stresses the need for institutions to perform risk assessments, implement effective strategies for mitigating identified risks, such as heightened customer authentication standards for high risk transactions, and implement layered security programs. The Supplement discusses the effectiveness of certain authentication techniques, such as device identification and challenge questions. The Supplement also emphasizes the need for institutions to raise customer awareness of potential risks associated with Internet banking.
According to the Supplement, FFIEC member agencies will "work closely with institutions to promote security in electronic banking and have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012."
If you have any questions regarding this issue or any other Banking and Finance issues, please contact the author, Mark E. Miller.