In June the FFIEC (Federal Financial Institutions Examination Council) updated its advice to banks, setting out what it expects from customer authentication, layered security and other controls in the "increasingly hostile online environment".

The update to 2005 guidance followed a spate of successful cyber attacks on small companies, businesses and retail customer accounts and a succession of legal tussles between banks and their customers over liability issues.

The council - which includes representatives from six agencies - says that with no authentication method fool-proof, banks must implement a layered security programme, using at least two elements.

The results of Guardian Analytics' poll of more than 300 executives at over 100 banks and credit unions suggest that institutions are acting on the new expectations but many will still have to rush to meet the 2012 deadline.

So far, only 57% of institutions have completed their risk assessment and 59% have formulated a plan to fill their online banking security gaps.

The new guidance looks set to be a boon to security vendors, with the majority - 84% - of respondents planning to invest in new technologies to address the enhanced expectations.

However, despite the deadline rapidly approaching, only 43% say they have actually purchased new tech, with 49% intending to in the future. Many are planning their investments for the next six to 12 months, just in time for their 2012 exam.

The survey also reveals confusion over what exactly is expected, with nearly half of those quizzed not fully understanding the minimum expectations. When asked, 41% were unable to identify anomaly detection as an FFIEC minimum expectation for layered security, and 56% could not identify enhanced controls for business banking administrative functions.

Terry Austin , CEO,Guardian Analytics, says: "The FFIEC raised the bar on their expectations for online security, and financial institutions are scrambling to evaluate and invest in preparation for their 2012 exams."