On June 28, 2011, the Federal Financial Institutions Examination Council (FFIEC) issued a Supplement to the Authentication in an Internet Banking Environment guidance first issued in Oct. 2005. The FFIEC considered that further guidance was appropriate due to the continued growth of electronic and mobile banking and greater sophistication of the associated threats, which have increased risks for financial institutions and their customers.
The Supplement reflects the FFIEC’s view that the controls in its previous guidance have become less effective over time as criminals have used techniques such as “corporate account takeover” to inflict large losses on banks and their customers for online banking services. The new guidance is expected to spur adoption of enhanced authentication technologies and controls, particularly for smaller financial institutions that may not have invested as heavily in advanced security technology as the largest banks.
Specifically, the Supplement:
· Reiterates the risk-management framework described in the 2005 guidance;
· Identifies customer authentication techniques that are less effective in the current environment and calls for enhanced measures;
· Outlines minimum layered security control elements for online banking activities; and
· Sets forth specific minimum elements that should be part of an institution’s customer awareness and education program.
A link to the new Supplement is provided here. The FFIEC member agencies have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the Supplement beginning in Jan. 2012.
Please see full publication below for more information.