Banks Scramble to Meet FFIEC Online Banking Authentication Guidelines by Yearend

As the FFIEC online banking authentication deadline looms, banks work through the confusion to select their solutions.

Less than four months remain for banks to meet the Federal Financial Institutions Examination Council's year-end deadline for Internet banking authentication, but some confusion remains over what is an acceptable solution. When the FFIEC agencies initially released the guidance on Oct. 12, 2005, many banks were left scratching their heads as the guidance explicitly states that it "does not endorse any particular type of technology." Rather, the FFIEC says, banks should assess their own risk and decide which solutions best meet their individual needs.

Adding to the confusion, bankers, vendors and experts have fixated on the term "multifactor authentication." But the FFIEC never explicitly states that multifactor authentication is the only way to comply. According to the FFIEC's guidance, "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."

By now, many banks have put in place solutions that they think meet the federal agencies' guidelines, according to Ariana-Michele Moore, senior analyst in Celent's (Boston) banking group. Most of the larger banks have something in place already, and the smaller banks mostly are going with what their online banking vendors are offering, she says.

But as the deadline inches ever closer, many banks have begun to look at what other institutions are doing, Moore adds. "They're saying, 'If everyone else is going down this path, then we should be doing this as well,'" she relates. While Celent does not go as far as recommending one solution above others, it stresses that banks should choose a solution that is "convenient, customer friendly, flexible and capable of rebuilding customer trust."

Furthermore, as a result of the FFIEC's ambiguity, there are a significant number of banks that have not taken action, Moore notes.

Putting Authentication in Place

Among the banks taking action, Santa Clara, Calif.-based SVB Financial Group ($5.1 billion in assets), earlier this year implemented software from Bharosa (Santa Clara). "Bharosa offered a strong authentication solution that satisfied FFIEC demands for multifactor authentication for online banking transactions, and it easily integrated into our existing architecture," says David Webb, SVB's CIO. The bank spoke to several U.S. vendors when selecting a solution, but chose Bharosa because its products were cost efficient to implement while providing "high-quality fraud detection and authentication capabilities," Webb adds.

The solution consists of two components -- Bharosa Tracker and an authentication module. "The tracker provides proactive, real-time fraud detection via software that works behind the scenes to track online user behavior," Webb explains. "The authenticator is a virtual authentication device that protects against a full range of online identity theft threats."

Still, amid the uncertainty, one big question looms: What will happen to the banks that don't meet the deadline?

Many observers say that it depends on each bank's audit schedule, Celent's Moore reports. If a bank won't be audited until late 2007, it likely has a little more leeway when it comes to implementing a solution, she suggests. But if a breach were to occur in that time period, Moore warns, there are going to be some consequences.