Compliance scorecard: FFEIC authentication guidance

“Authentication in an Electronic Banking Environment” is a document released by the United States Federal Financial Institution Examination Council (FFIEC) in 2001 to provide guidance to U.S. financial institutions on authenticating customers in electronic or online transactions. Its goals in doing so are to safeguard customer information; to prevent money laundering and terrorist financing; to reduce fraud and the theft of sensitive customer information; and to promote legal enforceability of financial institutions’ electronic agreements and transactions. The guidance was revised in 2005.

The FFIEC guidance clearly states that “single-factor authentication, as the only control mechanism, (is) inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.” That means that a simple username/password combination is officially recognized as insufficient security for online transactions.

While guidance does not equal regulation, many banks treat the FFIEC document as law, because other rules, such as the Uniform Commercial Code and GLBA, require that banks take reasonable precautions to protect customers against fraud and information theft, and the guideline legally raises the bar for what is “reasonable.”

While the guidance states that single-factor authentication is not enough, that does not mean that banks should all be issuing biometric readers and tokens to their customers. Multi-factor authentication in the banking environment can mean many things, says Jerry Tylman, partner with business consulting firm Greenway Solutions. “For example, your ID and password is one factor. The second factor could be a risk score based on a suspect IP address,” he says. “If you are logging in from an unusual address, they may ask you for your mother’s maiden name before you can continue.”

That type of additional security certainly strengthens authentication. But one of the complex problems with online banking fraud is that even information like your mother’s maiden name can be acquired by a diligent criminal to bypass such methods.

“Most of the data that gets into the hands of fraudsters gets there through social engineering,” Tylman says. “It was not the banks that gave the data away, it was the customer.” For this reason, banks that want to go beyond the guidelines to protect customers should implement multiple layers of security that include knowledge-based questions (e.g. the color of your car), signature analysis (e.g. something that identifies your computer), and transaction analysis to assess if your online activity is normal or abnormal (e.g. this person has never attempted to wire money to Russia). Layered protection like this is by far the most effective way of preventing and detecting fraud.

Marleah Blades is senior editor for the Security Executive Council. For more information about the Council, visit