Developing an FFIEC Compliant Strategy
AbstractSan Francisco, CA, USA June 27, 2006
New guidance calls for banks to beef up security for Internet banking by the end of 2006 and has left many banks questioning how they will respond.
The banking industry was thrown into a tizzy when the Federal Financial Institutions Examination Council (FFIEC) issued its guidance on authentication in an Internet banking environment in late 2005. The main source of anxiety was the call for multi-factor authentication in the online banking environment. Given that most banks rely upon usernames and passwords to authenticate their online populations, which is considered single-factor authentication, the banking industry is now forced to re-assess its online banking environment. In a new report, , Celent critiques the guidelines from the FFIEC and the available technologies that can help banks comply.
"Prior to the call for multi-factor authentication few banks deployed it," says Ariana-Michele Moore, author of the report. "Therefore most banks are under pressure to find something that will work by year end. Of course, this is easier said than done."
The overall movement of the banking industry toward two-factor authentication has been at a snail's pace. Celent predicts that many banks will scurry at the last minute to put something in place, and it is quite likely that many will not deploy two-factor authentication by year end 2006.
Choosing an approach to multi-factor authentication is not easy in today's environment. To the bank's advantage, several solutions have existed in the market for years, but many have also failed to gain traction due to their high cost of implementation, inconvenience to customers, and, at times, the overall ridiculousness of their intended application. However, a few solutions are positioned as strong contenders for financial institutions.
Among the leaders are computer analysis solutions and out-of-band authentication. Though others, such as tokens and biometrics, would provide the most robust method of authentication, they are often not practical for today's online customer. Regardless of the method chosen, banks are wise to choose something that is convenient, consumer friendly, flexible, and capable of rebuilding consumer trust. Above all, it is important to remember that fraud is an evolving beast will continue to keep us on our toes for years to come.
A table of contents for the report is available online.
Celent is a research and advisory firm dedicated to helping financial institutions formulate comprehensive business and technology strategies. Celent publishes reports identifying trends and best practices in financial services technology and conducts consulting engagements for financial institutions looking to use technology to enhance existing business processes or launch new business strategies. With a team of internationally based analysts, Celent is uniquely positioned to offer strategic advice and market insights on a global basis. Celent is a member of the Oliver Wyman Group, which is a wholly-owned subsidiary of Marsh & McLennan Companies [NYSE: MMC].
Tel: +1 212 345 1366
Tel: +44 (0)782 448 3336
Tel.: +81 3 3500 3023
Table of ContentsSan Francisco, CA, USA June 27, 2006
|The Online Channel||6|
|Call for Multi-Factor Authentication||11|
|Assessing the Risk of Transactions||12|
|Steps to Assessing Risk||12|
|The Various Degrees of Risk||13|
|Deploying Multi-Factor Authentication||14|
|Multi-Factor Authentication Technologies||16|
|Tokens and Related Devices||17|
|Device (or Machine) Analysis||19|
|Digital Certificates and Signatures||24|
|Risk-Based Analysis and Monitoring||27|
|Comparing the Technologies||28|
|Objectivity & Methodology||33|