Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:56 AM
Connect Directly

Fortifying Online Banking

Last October, the Federal Financial Institutions Examination Council (FFIEC) issued guidance to the financial services industry for data security in the online banking environment. In concluding that multifactor authentication should be the standard for online identity verification, the FFIEC emphasized the need for risk-based assessment and the implementation of appropriate risk-mitigation strategies to reliably authenticate customers accessing financial institutions' Internet-based services.

But was the FFIEC's move a subtle hint to banks that more "guidance" might be on the way if they do not do a better job of securing customer data in the online environment? Security specialists from SystemExperts agree there was nothing subtle about the guidance at all. "It requires banks to develop and implement a comprehensive approach to authentication," asserts SystemExperts President Jonathan Gossels. "The guidance requires a massive change in the banking industry."

Although the FFIEC report covers several security methods—such as chip cards, biometrics and tokens—it does not endorse any one technology, something for which the FFIEC should be applauded, claims Gossels, who says the FFIEC report was a good first step in getting financial institutions up to snuff in securing customer data. However, more needs to be done, he adds, noting that an obvious omission from the guidance was phishing, since the report does not require mutual authentication.

According to Cheng Tang, a consultant with SystemExperts, the guidance is "better than a first step, since it lays out a strategy for secure Internet banking." But, he adds, it was "lax on internal/employee-initiated crime," such as fraud and embezzlement.

Still, the guidance was a necessary push for the industry. Though banks will not publicly admit it, "They will wait for an organization like the FFIEC to force them to move to a more stringent authentication strategy and all do it at the same time," contends Brad Johnson, VP of consulting at SystemExperts. "If they all have to change, they won't feel as vulnerable about losing some of the customer base."

Banks must perform the mandated risk assessments by the end of 2006, so expect to hear more from the FFIEC this year. --Maria Bruno-Britz

Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.