Last October, the Federal Financial Institutions Examination Council (FFIEC) issued guidance to the financial services industry for data security in the online banking environment. In concluding that multifactor authentication should be the standard for online identity verification, the FFIEC emphasized the need for risk-based assessment and the implementation of appropriate risk-mitigation strategies to reliably authenticate customers accessing financial institutions' Internet-based services.
But was the FFIEC's move a subtle hint to banks that more "guidance" might be on the way if they do not do a better job of securing customer data in the online environment? Security specialists from SystemExperts agree there was nothing subtle about the guidance at all. "It requires banks to develop and implement a comprehensive approach to authentication," asserts SystemExperts President Jonathan Gossels. "The guidance requires a massive change in the banking industry."
Although the FFIEC report covers several security methodssuch as chip cards, biometrics and tokensit does not endorse any one technology, something for which the FFIEC should be applauded, claims Gossels, who says the FFIEC report was a good first step in getting financial institutions up to snuff in securing customer data. However, more needs to be done, he adds, noting that an obvious omission from the guidance was phishing, since the report does not require mutual authentication.
According to Cheng Tang, a consultant with SystemExperts, the guidance is "better than a first step, since it lays out a strategy for secure Internet banking." But, he adds, it was "lax on internal/employee-initiated crime," such as fraud and embezzlement.
Still, the guidance was a necessary push for the industry. Though banks will not publicly admit it, "They will wait for an organization like the FFIEC to force them to move to a more stringent authentication strategy and all do it at the same time," contends Brad Johnson, VP of consulting at SystemExperts. "If they all have to change, they won't feel as vulnerable about losing some of the customer base."
Banks must perform the mandated risk assessments by the end of 2006, so expect to hear more from the FFIEC this year. --Maria Bruno-Britz