US banking regulators have given the nation's banks an end-2006 deadline to introduce multi-factor authentication for "high risk" Internet transactions.
The Federal Financial Institutions Examination Council (FFIEC) has issued new guidance on the risk management controls necessary to authenticate the identity of customers accessing online financial services, and has stated that US banks will be expected to comply with the rules - which includes the introduction of multi-factor authentication - by the end of 2006.
The council is an inter-agency body representing the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).
The guidance, which applies to all member banks, states that firms are expected to use enhanced authentication methods when verifying online customers and states that single-factor authentication, when used as the only control mechanism, is inadequate for high-risk transactions involving access to customer information or the movement of funds.
Even where risk assessments indicate that the use of single-factor authentication is inadequate, FFIEC says financial institutions should implement multifactor authentication.
The regulator also says that banks should ensure there are reliable methods of originating new customer accounts online - as required by the US Patriot Act - and implement fraud detection systems. Banks are also expected to educate customers about the dangers of ID theft.
FFIEC says financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.
Earlier this year the FDIC called on banks to do more to protect the security and confidentiality of sensitive customer data in order to prevent account hijacking.