FFIEC News

Research Report: Majority of U.S. Banks Have Now Adopted FFIEC Guidelines for Online Banking Authentication

(Nov 21, 2007)-- When the Federal Financial Institutions Examination Council (FFIEC) issued guidelines in late 2005 to push the U.S. banking industry toward stronger security measures for consumer online banking, the industry was exceedingly slow to respond. Today, new research from TowerGroup finds that 95 percent of U.S. banks now comply with - - or are close to complying with -- the FFIEC's authentication guidance.

In implementing risk-based authentication -- often using a combination of device identification, IP geolocation, and challenge/response questions -- banks seem to have been able to strike an appropriate balance between authentication "strength" and customer convenience. Many banks report that new authentication techniques have reduced online fraud losses while driving increases in consumer Internet banking adoption and usage. This counters early concerns that stronger authentication technology would inconvenience consumers to the point of driving online banking usage down.

Moving forward, TowerGroup advises U.S. banks to continue augmenting current risk-based authentication technologies with additional device- identifying components, especially IP intelligence data. Further, banks should implement back-end fraud detection technologies that identify transactional and behavioral anomalies, and seek out ways to share fraud data pertaining to known fraud sources across the industry. Banks cannot simply meet the current FFIEC guidance and rest on their laurels; they must continue stay ahead of the curve.

The new research, titled "Meeting the FFIEC Authentication Guidance Deadline: U.S. Banks Receive an A," by George Tubin -- Research Director, Delivery Channels and Financial Information Security -- is available to qualified members of the press for review.

Share or bookmarklet this web page at: