We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,994 News Articles

Financial services firms get updated authentication guidance

The Federal Financial Institutions Examination Council (FFIEC) recently updated the authentication guidance it provides to financial services firms that conduct online banking services. The supplement is to the Authentication in an Internet Banking Environment guidance issued in October 2005.

This month's update is designed to reinforce risk-based authentication for customers and covers layered security and other controls designed to mitigate transaction risk. Expert reaction to the guidance's efficacy has been mixed.

Mobile payments and PCI DSS compliance: Some, but not much, clarity (yet)

The update emphasizes the importance for organizations to conduct risk assessments and increase end-user awareness of attacker threats -- but doesn't provide any guidance on technologies to use to increase security.

Jacob Jegher, senior analyst at financial services research and consulting firm Celent, wasn't overly impressed with the update. "I must say that this document doesn't say much that most banks don't already know. The wording is vague, open to interpretation, and unclear. It's a great read for someone who is new to the space that wants to get a high-level overview of some of the challenges banks are facing," he wrote in his post following the release of the guidance.

Avivah Litan, financial services, authentication, and fraud analyst at Gartner, wasn't as glum. "The guidance came out and clearly stated that every form of authentication can be defeated. I think banks need to hear this, and the previous version of the guidance was way too focused on authentication techniques," she said.

Other areas she cited as positive include its advice on updated risk assessments, and what infrastructure and customer changes need to be considered as part of those assessments. The update also called out the need for financial services firms to tightly control and monitor privileged user accounts.

However, Litan argued, the supplement could have been more concrete in its guidance. "The document is very wishy-washy in its wording, with words like "could" and "suggested" used way too often," she says.

Financial services companies don't have to rush to implement the guidance. FFIEC agencies will be working with financial institutions with the guidance, and examiners won't start to formally assess financial institutions until January.

George V. Hulme writes about security and technology from his home in Minneapolis. He is still saving to open his first bank account. He can, however, be found on Twitter as @georgevhulme.

Read more about identity management in CSOonline's Identity Management section.


IDG UK Sites

45 Best Android games: top Android games for your smartphone or tablet in 2014 (24 are free!)

IDG UK Sites

How Apple, Adobe, Microsoft and others have let us down over UltraHD and hiDPI screens

IDG UK Sites

Do you have the X-Factor too? Mix Off app puts fans in the frame

IDG UK Sites

iPad Pro release date, rumours and leaked images - 12.9 screen 'coming in 2015'