FFIEC issues new security guidance to US banks

FFIEC issues new security guidance to US banks

US banks have been told by regulators to improve online banking authentication to protect customers increasingly at risk from fraud.

In an update to its 2005 guidance to banks, the Federal Financial Institutions Examination Council1 (FFIEC) sets out what it expects from customer authentication, layered security and other controls in the "increasingly hostile online environment".

It follows a spate of successful cyber attacks on small companies, businesses and retail customer accounts and a succession of legal tussles between banks and their customers over liability issues.

The council - which includes representatives from six agencies - says that with no authentication method full proof, banks must implement a layered security programme, using at least two elements.

The guidance does not endorse any specific technology but says banks should have processes designed to detect anomalies and effectively respond to them, noting that many fraud cases see unusual sums being withdrawn from accounts that should ring alarm bells at the bank.

The council also warns banks that they can no longer rely on "simple device identification", using cookies to confirm that PCs belong to the customers. Instead banks should tap more "sophisticated" one-time cookies.

The way banks use challenge questions also needs to improve, says the group, warning that with a growing amount of personal information about people available online these need to be tougher.

More generally, the guidance stresses that banks must regularly carry out risk assessments and update their practices to combat evolving threats as well as educate customers on risks, however it fails to properly address potential new threats to emerging channels in the mobile space.

Analysts have also criticised the language used in the guidance for its lack of precision and clarity, offering plenty of wriggle-room for banks that fail to come up to scratch.

The FFIEC member agencies have directed examiners to formally assess financial institutions based on the new guidance from January.

Last month the US government warned that it will step in to toughen up the cyber-security of financial institutions that do not have up to scratch defences in place, under new plans from the Obama administration.

Read the supplement here:

Download the document now 633.4 kb (PDF File)

Comments: (0)