The US Federal Financial Institutions Examination Council (FFIEC) federal has issued new guidelines aimed at overhauling security in Internet-based banking and financial services.
The body, which has broad regulatory powers over the banking sector, updated its guidance for how financial institutions should plan to authenticate customers online identities by the end of next year.
The FFIEC said authentication of a customer via simple password and ID alone was inadequate for high-risk transactions involving access to customer information or the movement of funds to other partners.
The guidelines, entitled Authentication in an Internet Banking Environment, replaces a guidance document issued in 2001, Authentication in an Electronic Banking Environment.
The FFIEC is composed of member agencies that include the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, along with five representatives from state regulatory agencies.
The FFIEC claims to not endorse any particular technology in its new guidance, which simply emphasises that the authentication techniques employed by the financial institution should be appropriate to the risks associated with their products and services.
The FFIEC document does provide basic descriptions of several technologies, including digital certificates, smart cards, one-time passwords, USB plug-ins, and biometric identification methods, among others.
The new guidance document, which the FFIEC says it issued due to concerns about phishing, identity theft and online fraud, indicates the FFIEC expects to see stronger authentication methods in place next year.
At the same time, the FFIEC also notes the impact of catastrophic events, such as that caused by hurricanes, could affect the ability of some financial institutions to conform to the guidance within the specified timeframe. In some instances, affected financial institutions would be afforded an extension if circumstances warrant, the FFIEC said.