I suspect an update to the Federal Financial Institutions Examination Council's 2005 guidance on authentication is on the horizon.
Significant changes in technology, coupled with the emergence of new security threats since the guidance was issued, is forcing the council to take a closer look at currently prescribed authentication methods.
Since 2005, social media has emerged as a widely accepted marketing strategy for most financial institutions.
Technology tools such as merchant capture and remote automated clearing house origination also have become mainstream. With advances in technology, a corresponding rise is visible in the type and number of threats, especially online criminal activities, posed to institutions.
The FFIEC recognizes this and realizes that the authentication methods prescribed several years ago may be inadequate today. In an effort to address these issues, the council issued a preliminary update draft titled "Interagency Supplement to Authentication in an Internet Banking Environment." This latest guidance has reflected to some degree the issues raised by Internet banking and follows established best practices for data security, including the adoption of a layered security approach. This updated guidance on pre-implementation and continuing risk assessments is sound advice. The requirement for institutions to educate their customers is encouraging as well.
However, the current version of the update falls short in several respects.
In regard to customer education, the guidance stops short of requiring the customer to take at least partial responsibility for transaction security. However, the biggest shortfall, in my opinion, is the lack of preventive control requirements on the customer's side. Industry best practices dictate that an effective security program have controls in three categories: preventive, detective and corrective. The current guidance mandates a financial institution's layered security approach in only two of these categories, ignoring the preventive measures. I suspect revised guidance will prescribe more customer education, placing the burden on financial institutions to provide this.
