5 Questions About New FFIEC Guidance

Register now

The Federal Financial Institutions Examination Council recently released the supplement to its "Authentication in an Internet Banking Environment" guidance. The deadline for meeting the new requirements is now.

These updates of the FFIEC regulations specifically address customer authentication, layered security, and other controls in the growing online environment.

Listed below are five questions about compliance with the recent guidance.

1. What does "layered security" actually mean? Layered security' refers to the arrangement of fraud tools in a sequential fashion, starting with the most simple and progressing toward more stringent controls as the activity unfolds and risk increases.

2. What does "multi-factor" authentication actually mean? A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.

3. Who does this guidance affect? And does it affect each type of credit grantor/ lender differently? The guidance pertains to all financial institutions in the U.S. that fall under the FFIEC's influence. While the guidance specifically mentions authenticating in an online environment, it's clear that the overall approach advocated by the FFIEC applies to any environment.

4. What will the regulation do to help mitigate fraud risk in the near-term and long-term? The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system, and the tools to fight fraud must evolve constantly. raud tactics evolve constantly.

5. How are organizations responding? Research indicates that less than half of the institutions impacted by this guidance are prepared for the exams. Many fraud tools, particularly those used to authenticate individuals, were deployed as point-solutions. There is a need for a feedback loop to identify vulnerabilities, or the ability to deploy a risk-based, "layered" approach the guidance is seeking.

Christopher Ryan is a senior fraud business consultant with Experian's Global Consulting Practice. He can be reached at Chris.Ryan@Experian.com.

For reprint and licensing requests for this article, click here.