Developing an FFIEC Compliant Strategy

June 27, 2006


San Francisco, CA, USA June 27, 2006

New guidance calls for banks to beef up security for Internet banking by the end of 2006 and has left many banks questioning how they will respond.

The banking industry was thrown into a tizzy when the Federal Financial Institutions Examination Council (FFIEC) issued its guidance on authentication in an Internet banking environment in late 2005. The main source of anxiety was the call for multi-factor authentication in the online banking environment. Given that most banks rely upon usernames and passwords to authenticate their online populations, which is considered single-factor authentication, the banking industry is now forced to re-assess its online banking environment. In a new report, , Celent critiques the guidelines from the FFIEC and the available technologies that can help banks comply.

"Prior to the call for multi-factor authentication few banks deployed it," says Ariana-Michele Moore, author of the report. "Therefore most banks are under pressure to find something that will work by year end. Of course, this is easier said than done."

The overall movement of the banking industry toward two-factor authentication has been at a snail's pace. Celent predicts that many banks will scurry at the last minute to put something in place, and it is quite likely that many will not deploy two-factor authentication by year end 2006.

Choosing an approach to multi-factor authentication is not easy in today's environment. To the bank's advantage, several solutions have existed in the market for years, but many have also failed to gain traction due to their high cost of implementation, inconvenience to customers, and, at times, the overall ridiculousness of their intended application. However, a few solutions are positioned as strong contenders for financial institutions.

Among the leaders are computer analysis solutions and out-of-band authentication. Though others, such as tokens and biometrics, would provide the most robust method of authentication, they are often not practical for today's online customer. Regardless of the method chosen, banks are wise to choose something that is convenient, consumer friendly, flexible, and capable of rebuilding consumer trust. Above all, it is important to remember that fraud is an evolving beast will continue to keep us on our toes for years to come.

A table of contents for the report is available online.


Celent is a research and advisory firm dedicated to helping financial institutions formulate comprehensive business and technology strategies. Celent publishes reports identifying trends and best practices in financial services technology and conducts consulting engagements for financial institutions looking to use technology to enhance existing business processes or launch new business strategies. With a team of internationally based analysts, Celent is uniquely positioned to offer strategic advice and market insights on a global basis. Celent is a member of the Oliver Wyman Group, which is a wholly-owned operating unit of Marsh & McLennan Companies [NYSE: MMC].

Media Contacts

North America
Michele Pace
Tel: +1 212 345 1366

Europe (London)
Chris Williams
Tel: +44 (0)782 448 3336

Asia (Tokyo)
Yumi Nagaoka
Tel.: +81 3 3500 3023

Table of Contents

San Francisco, CA, USA June 27, 2006


Executive Summary 3
Introduction 5
  The Online Channel 6
  Online Fraud 7
FFIEC Guidelines 10
  Call for Multi-Factor Authentication 11
Assessing the Risk of Transactions 12
  Steps to Assessing Risk 12
  The Various Degrees of Risk 13
  Deploying Multi-Factor Authentication 14
Multi-Factor Authentication Technologies 16
  Tokens and Related Devices 17
  Device (or Machine) Analysis 19
  Out-of-Band Authentication 21
  Biometrics 22
  Digital Certificates and Signatures 24
  Mutual Authentication 24
  Risk-Based Analysis and Monitoring 27
  Comparing the Technologies 28
Conclusion 30
Objectivity & Methodology 33

Sign in to download reports and access personalized information