Federal guidelines not mandatory, but highly recommended for financial houses that want to stay in their examiners’ good graces

By Marisa Torrieri, Contributing Editor

Expect to see more U.S.-based financial institutions shelling out big bucks to revamp static security systems. New guidelines put out last month by the Federal Financial Institutions Examination Council (FFIEC) call for banks to incorporate new, secondary secure-ID technology by the end of 2006. The reason, says an FFIEC spokesman, is to better ensure the security of customers’ financial data.

Therefore, banking institutions wanting to stay in the good graces of federal and state examiners must start using secondary security methods, such as one-time password tokens, to enhance existing, single-factor authentication systems (i.e., single user-derived passwords).

The FFIEC document, Authentication in an Internet Banking Environment, calls for financial institutions serving retail and consumer customers to assess their security “risk management” strategies and implement secondary “systems and practices.” Whether such strategies are “provided internally or by a technology service provider,” the FFIEC document recommends financial institutions should:

• Identify and assess the risks associated with the full range of Internet-based products and services,
• Identify risk mitigation actions, including appropriate measures to verify and authenticate customers, and measure and evaluate customer awareness efforts;
• Establish, evaluate, and adjust, as appropriate, their information security programs in light of any relevant changes in technology, the sensitivity of their customer information, and internal or external threats to information; and
• Implement appropriate risk mitigation strategies.

While the FFIEC says it neither prefers nor endorses a specific “solution,” the document’s suggested secondary authentication methods include: digital certificates with public key infrastructure (PKI), one-time password generators, smart cards, USB plug-ins and other types of “tokens.”

The federal guidance emerged following input from all federal agencies that supervise banks, including the FDIC, a spokesman for the FFIEC tells SecureIDNews.

Mandatory or optional?

The discussion surrounding the guidelines often centers on its “teeth,” or the ability of the governing bodies to enforce the recommendations. While nearly all agree it is not mandatory, it will reflect adversely on those financial institutions that do not take action to improve security.

The FFIEC is an official government council established to help guide bank examination procedures across the key bodies that regulate financial institutions. Officially, it is described as “a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial institutions.”

In an October 13, 2005 letter from Richard Spillenkothen, Director, Board of Governors of the Federal Reserve System, he states “Examiners should begin to assess financial institutions’ progress in meeting the expectations outlined in the guidance and thereafter monitor ongoing conformance as needed during the risk-focused examination process. Financial institutions will be expected to have achieved conformance with the guidance by year-end 2006. Examiners should document situations where financial institutions have not achieved conformance with the guidance by that time.”

Clearly the sharpness of those “teeth” remains in question but there are indications that they do indeed exist.

Industry reactions …

Industry insiders, including a growing number of technology companies offering two-factor authentication products, say the recommendations are good, though a bit vague.

What’s left open for interpretation, says Steve Langerock, CEO of Aladdin Knowledge Systems (one of the companies marketing its two-factor ID products to banks at the corporate “vertical” level), is exactly what security measures banks should put in place.

“The recommendation is clear in [stating] that single-factor authentication is not sufficient,” Langerock says. However, “What [the FFIEC document] says is that you need to find something for consumers, but it leaves it open.”

Therefore, just what a bank should do to comply – so it receives a good rating from examiners – is yet to be determined.

Still, the recommendations point to a harrowing reality that today’s electronic transactions are too susceptible to hacking, says says Julian Lovelock, a product manager for ActivIdentity (formerly known as ActivCard). The public company is one of a growing number that provides hardware- and software-based authentication products to make online banking more secure.

U.S. banks are slower to adopt sophisticated technology and therefore more vulnerable to the impacts of bank fraud, and ‘phishing.’ Corporate banks are well aware of the need for two-factor authentication, U.S. consumer banks underestimate the need for a higher level of security, Lovelock says.

“It used to be acceptable in consumer banking to use one password, but the increasing fraud sophistication and the ability to target thousands of consumers at once, [demands] a step up in the consumer banking environment,” says Lovelock. Since the guidance was posted, Lovelock says ActivIdentity has enjoyed a slight sales increase.

What will it cost to comply?

For U.S. banks, the recommendations could mean a hefty investment for an upgrade to a company’s existing security systems. The cost of the investment varies, depending on a bank’s particular needs. ActivIdentity’s Single Sign-On authentication solutions, for example, cost $27,500 for 500 users. However, the Fremont, Calif.-based vendor says that it offers volume discounts for quantities above 500 users, which are decided on a case-by-case basis.

But most banks are probably well-aware of the need for additional security, says Lovelock, adding that European banks, and especially those in Northern Europe, have been more willing to deploy two-factor solutions. This is due to fraud being taken more seriously by both the bank and the customer. Hence, customers show a greater willingness to accept additional security measures when banking online, Lovelock says.

---

Additional resources:

To see a copy of the guidance, click here.

To review the letter from Richard Spillenkothen, Director, Board of Governors of the Federal Reserve System, click here.

To visit the FFIEC online, click here.