The federal government has recognized that depending solely on passwords as a way to prevent unauthorized access to online bank accounts is inadequate. The Federal Deposit Insurance Corporation, in a December, 2004 report entitled Putting an End to Account Hijacking Identity Theft, recommended that financial institutions adopt a two-factor authentication procedure for access to online accounts, to replace reliance on passwords only. The report was updated in June, 2005 with a Supplement that revised the original report on the basis of comments received. As a result, the original recommendations were modified to suggest that "the widespread use of user ID and password for remote authentication should be supplemented with a reliable form of multifactor authentication or other layered security so that the security and confidentiality of customer accounts and sensitive customer information are adequately protected."
The Federal Financial Institutions Examination Council (FFIEC), a federal interagency organization that includes the FDIC, followed up on this by issuing a "guidance" in October, 2005 that calls for banks to implement stronger forms of authentication for access to online accounts. The date given for compliance is year-end 2006. The FFIEC guidance, entitled Authentication in an Internet Banking Environment, states that "the agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."
[NOTE: On August 15, 2006, a Frequently Asked Questions document was issued by the government to aid in the implementation of the guidance.]
The guidance directs that banks perform a risk assessment and, "where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."
Taken together, these two statements imply that one outcome of the risk assessment will be an identification of the points in a bank's Internet banking services where these high-risk transactions takes place, and that "multifactor authentication, layered security, or other controls" must be put into place to prevent fraudulent transactions.
The FFIEC guidance defines customer information as "nonpublic personal information." But are all transactions that involve access to customer information necessarily "high risk"? And for those transactions that do fall under the guidance's mandate, what should replace today's single-factor authentication schemes that depend on passwords alone?
Some Implications of the FFIEC Guidance