Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:10 PM
Nancy Feig
Nancy Feig
Connect Directly

Banks Scramble to Meet FFIEC Online Banking Authentication Guidelines by Yearend

As the FFIEC online banking authentication deadline looms, banks work through the confusion to select their solutions.

Less than four months remain for banks to meet the Federal Financial Institutions Examination Council's year-end deadline for Internet banking authentication, but some confusion remains over what is an acceptable solution. When the FFIEC agencies initially released the guidance on Oct. 12, 2005, many banks were left scratching their heads as the guidance explicitly states that it "does not endorse any particular type of technology." Rather, the FFIEC says, banks should assess their own risk and decide which solutions best meet their individual needs.

Adding to the confusion, bankers, vendors and experts have fixated on the term "multifactor authentication." But the FFIEC never explicitly states that multifactor authentication is the only way to comply. According to the FFIEC's guidance, "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."

By now, many banks have put in place solutions that they think meet the federal agencies' guidelines, according to Ariana-Michele Moore, senior analyst in Celent's (Boston) banking group. Most of the larger banks have something in place already, and the smaller banks mostly are going with what their online banking vendors are offering, she says.

But as the deadline inches ever closer, many banks have begun to look at what other institutions are doing, Moore adds. "They're saying, 'If everyone else is going down this path, then we should be doing this as well,'" she relates. While Celent does not go as far as recommending one solution above others, it stresses that banks should choose a solution that is "convenient, customer friendly, flexible and capable of rebuilding customer trust."

Furthermore, as a result of the FFIEC's ambiguity, there are a significant number of banks that have not taken action, Moore notes.

Putting Authentication in Place

Among the banks taking action, Santa Clara, Calif.-based SVB Financial Group ($5.1 billion in assets), earlier this year implemented software from Bharosa (Santa Clara). "Bharosa offered a strong authentication solution that satisfied FFIEC demands for multifactor authentication for online banking transactions, and it easily integrated into our existing architecture," says David Webb, SVB's CIO. The bank spoke to several U.S. vendors when selecting a solution, but chose Bharosa because its products were cost efficient to implement while providing "high-quality fraud detection and authentication capabilities," Webb adds.

The solution consists of two components -- Bharosa Tracker and an authentication module. "The tracker provides proactive, real-time fraud detection via software that works behind the scenes to track online user behavior," Webb explains. "The authenticator is a virtual authentication device that protects against a full range of online identity theft threats."

Still, amid the uncertainty, one big question looms: What will happen to the banks that don't meet the deadline?

Many observers say that it depends on each bank's audit schedule, Celent's Moore reports. If a bank won't be audited until late 2007, it likely has a little more leeway when it comes to implementing a solution, she suggests. But if a breach were to occur in that time period, Moore warns, there are going to be some consequences.

Strong Authentication

  • Be easy for customers to use;,
  • Allow customers to use it anywhere;,
  • Be cost-effective;,
  • Provide appropriate levels of security;,
  • Be easily manageable; and,
  • Work across different channels of interaction.,
  • Comment  | 
    Print  | 
    More Insights
    Register for Bank Systems & Technology Newsletters
    Bank Systems & Technology Radio
    Archived Audio Interviews
    Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.