FFIEC Internet Banking Guidance: Bank Updates
Glenbrook's Linda Elliott has been following the banking industry's efforts to comply with the FFIEC Internet Banking Guidance issued almost a year ago. We first posted her summary of bank strategies last September. Now, Linda provides an update on what the industry has been doing since then:
We've updated our earlier chart on announced FFIEC Compliance actions. We are now beginning to see more varied approaches to the dual-factor authentication challenge. Biometrics is being rolled out at some smaller institutions, such as Credit Unions. Today, Verisign and Northern Trust announced use of the Verisign network approach to risk-based authentication. While the field of announced solutions is more varied than before, the large security firms still seem to be announcing more 'wins' with larger companies.
Gathering data from recent press releases and web-casts, we’ve compiled and updated a table showing the choices that have been announced. There are many solution providers offering tools to meet the FFIEC guidance, but only a handful of those have appeared in public announcements of implementations. We’ve not included strategic alliances or announcements that amount to one provider making tools available through a solution set provider, such as a banking software provider, because those announcements do not necessarily mean that any financial institution is adopting the approach as its FFIEC response.
Some institutions appear to have chosen one solution while others are clearly taking the approach of multiple tools to address various aspects of internet banking security. Based on analysis of the original guidance and a reading of the recent clarifications from the FFIEC, those with a suite of layered security solutions may be best positioned for their examinations.
We will continue to track these announcements as they emerge and will keep this chart updated. If you have comments or corrections to this information, please contact Linda Elliott at Glenbrook.
Table 1 - Publicly Announced Implementations in response to FFIEC Guidance on Internet Banking - Last Update: October 25, 2006
| Bank | Date, Component | Source, Vendor |
| Northern Trust | 10/25/06 | VeriSign and Northern Trust Press Release |
| Risk Based Authentication: patterns, network and PC forensics | VeriSign VIP Fraud Detection Service (FDS), VeriSign Unified Authentication Service | |
| Parda Federal Credit Union | 10/9/06 | BioPassword and Allied Solutions Press Release |
| Keystroke Dynamics | BioPassword | |
| Automotive Federal Credit Union | 10/9/06 | BioPassword and Allied Solutions Press Release |
| Keystroke Dynamics | BioPassword | |
| The Bankers Bank | 10/2/06 | Digital Persona Press Release |
| Fingerprint authentication | Digital Persona | |
| United Bankers' Bank | 10/2/06 | Digital Persona Press Release |
| Fingerprint authentication | Digital Persona | |
| FORUM Credit Union | 9/25/06 | BioPassword and Allied Solutions Press Release |
| Keystroke Dynamics | BioPassword | |
| M&T Bank | 9/20/06 | M&T, Corillian, Cydelity Press Release |
| Intelligent Authentication: Device forensics, Selective Challenges | Corillian | |
| eSentry: Tracking suspicious activity | Cydelity | |
| Farmer's and Merchant's Bank of Long Beach | 9/12/06 | RSA and S1 Press Release |
| Risk Based Authentication | RSA / PassMark | |
| Mutual Authentication | RSA / PassMark | |
| Collaborative Fraud Network | RSA | |
| Associated Bancorp | 9/5/06 | Corillian and BanCorp Press Release |
| Intelligent Authentication (challenge questions) | Corillian | |
| Wells Fargo Jim Smith, EVP, Internet Channel and Products “No one solution can solve the problem; we favor a layered security approach” | 8/28/06 | WFB Press Release |
| Real Time Risk Analysis | Bharosa | |
| Integrated Data | Quova | |
| Transaction and Session Behavior | Actimize | |
| OTP | RSA SecureID | |
| Account alerts to e-mail | ||
| Phish Report Network | Symantec | |
| PR: “Be Safe” | ||
| AMSouth Bank | 8/27/06 | Birmingham News |
| Device ID + QA + Picture | vendor not named | |
| Zions Bank Lee Carter, President of Online Banking Suite called “SecureEntry” | 8/23/06 | Zions/RSA Webcast |
| Device ID | RSA Adaptive Authentication | |
| Two-way authentication | ||
| Challenge questions | ||
| Client selected photo and phrase | ||
| ING Direct | 8/23/06 | RSA Webcast |
| Risk-based Authentication (DeviceID; Questions) | RSA | |
| Anti-Phishing | RSA | |
| Washington Mutual | 8/23/06 | RSA Webcast |
| Anti-Phishing | RSA | |
| Risk-based Authentication (DeviceID; Questions) | RSA | |
| Barclay’s | 8/23/06 | RSA Webcast |
| Anti-Phishing | RSA | |
| Transaction Monitoring | RSA | |
| North Fork Bank / All Points Capital | 8/23/06 | Press Release |
| Multi-factor authentication w software smartcard | Arcot | |
| US Bank | 8/23/06 | Entrust Press Release |
| Activity Patterns | Entrust / Business Signatures | |
| Citibank | 8/23/06 | Entrust Press Release |
| Activity Patterns | Entrust / Business Signatures | |
| Citibank - Business Customers | 2005 | Citi Press Release |
| OTP - Business, Commercial Customers | VASCO DigiPass | |
| Nevada State Bank | 8/8/06 | Press Release |
| Mutual Authentication | RSA / Passmark | |
| Frost Bank | 8/4/06 | Bank Technology News |
| Consumer: Mutual Authentication | RSA/Passmark | |
| Commercial: PKI Signatures | tbd | |
| Silicon Valley Bank | 7/31/06 | Bharosa Press Release |
| Fraud detection | Bharosa | |
| Desert Schools FCU | 7/25/06 | Bharosa Press Release |
| Fraud detection | Bharosa | |
| Multi-factor authentication | Bharosa | |
| Stonebridge Bank | 2005 | RSA Flier |
| OTP | RSA SecureID | |
| American Bank | 2005 | RSA Flier |
| OTP | RSA SecureID | |
| Bank of America | 2005 | |
| Mutual Authentication | RSA / Passmark | |
| E*Trade | 2005 | |
| OTP | RSA SecureID | |
| Risk-based Authentication (Device ID; Questions) | RSA | |
| Anti-Phishing | RSA |
Add your comment... (note that all comments are reviewed before they're published)