FFIEC Internet Banking Guidance: Banks Begin to Show Their Hands
Glenbrook's Linda Elliott has been following the banking industry's efforts to comply with the FFIEC Internet Banking Guidance issued almost a year ago. Here, Linda provides the following update on what the industry has been doing - and talking about:
The implementation deadline for FFIEC Internet Banking Guidance looms at the end of this year, and after almost a year of studying both the guidance and their options, banks are beginning to show their hands in addressing the guidance. Clarifications from the FFIEC last month added little to the set of considerations for most institutions, but re-iterated that the implementation target is the end of the year, and that ‘do nothing’ was not considered a valid response, even if a bank is willing to accept the inherent risk in that approach.
Gathering data from recent press releases and web-casts, we’ve compiled a table the choices which have been made public. There are many solution providers offering tools to meet the FFIEC guidance, but only a handful of those have appeared in public announcements of implementations. We’ve not included strategic alliances or announcements that amount to one provider making tools available through a solution set provider, such as a banking software provider, because those announcements do not necessarily mean that any financial institution is adopting the approach as its FFIEC response.
Some institutions appear to have chosen one solution while others are clearly taking the approach of multiple tools to address various aspects of internet banking security. Based on analysis of the original guidance and a reading of the recent clarifications from the FFIEC, those with a suite of layered security solutions may be best positioned for their examinations.
We will continue to track these announcements as they emerge and will keep this chart updated. If you have comments or corrections to this information, please contact Linda Elliott at Glenbrook.
Table 1 - Publicly Announced Implementations in response to FFIEC Guidance on Internet Banking - Last Update: September 4, 2006
| Bank | Date, Component | Source, Vendor |
| Wells Fargo Jim Smith, EVP, Internet Channel and Products “No one solution can solve the problem; we favor a layered security approach” | 8/28/06 | WFB Press Release |
| Real Time Risk Analysis | Bharosa | |
| Integrated Data | Quova | |
| Transaction and Session Behavior | Actimize | |
| OTP | RSA SecureID | |
| Account alerts to e-mail | ||
| Phish Report Network | Symantec | |
| PR: “Be Safe” | ||
| AMSouth Bank | 8/27/06 | Birmingham News |
| Device ID + QA + Picture | vendor not named | |
| Zions Bank Lee Carter, President of Online Banking Suite called “SecureEntry” | 8/23/06 | Zions/RSA Webcast |
| Device ID | RSA Adaptive Authentication | |
| Two-way authentication | ||
| Challenge questions | ||
| Client selected photo and phrase | ||
| ING Direct | 8/23/06 | RSA Webcast |
| Risk-based Authentication (DeviceID; Questions) | RSA | |
| Anti-Phishing | RSA | |
| Washington Mutual | 8/23/06 | RSA Webcast |
| Anti-Phishing | RSA | |
| Risk-based Authentication (DeviceID; Questions) | RSA | |
| Barclay’s | 8/23/06 | RSA Webcast |
| Anti-Phishing | RSA | |
| Transaction Monitoring | RSA | |
| North Fork Bank / All Points Capital | 8/23/06 | Press Release |
| Multi-factor authentication w software smartcard | Arcot | |
| US Bank | 8/23/06 | Entrust Press Release |
| Activity Patterns | Entrust / Business Signatures | |
| Citibank | 8/23/06 | Entrust Press Release |
| Activity Patterns | Entrust / Business Signatures | |
| Citibank - Business Customers | 2005 | Citi Press Release |
| OTP - Business, Commercial Customers | VASCO DigiPass | |
| Nevada State Bank | 8/8/06 | Press Release |
| Mutual Authentication | RSA / Passmark | |
| Frost Bank | 8/4/06 | Bank Technology News |
| Consumer: Mutual Authentication | RSA/Passmark | |
| Commercial: PKI Signatures | tbd | |
| Silicon Valley Bank | 7/31/06 | Bharosa Press Release |
| Fraud detection | Bharosa | |
| Desert Schools FCU | 7/25/06 | Bharosa Press Release |
| Fraud detection | Bharosa | |
| Multi-factor authentication | Bharosa | |
| Stonebridge Bank | 2005 | RSA Flier |
| OTP | RSA SecureID | |
| American Bank | 2005 | RSA Flier |
| OTP | RSA SecureID | |
| Bank of America | 2005 | |
| Mutual Authentication | RSA / Passmark | |
| E*Trade | 2005 | |
| OTP | RSA SecureID | |
| Risk-based Authentication (Device ID; Questions) | RSA | |
| Anti-Phishing | RSA |
Add your comment... (note that all comments are reviewed before they're published)