The Federal Financial Institutions Examination Council (FFIEC) has released an FAQ about their requirement for US banks to improve user authentication for Internet banking customers. The “guidance” to banks issued in 2001 and updated in October 2005, and the impending deadline is evidently causing some consternation in the US banking world. The FAQ ‘clarifies’ issues such as multifactor authentication and tokens. These are not absolutely required but there are certain very limited circumstances under which they might not be needed. “An institution’s risk assessment may conclude that existing controls are appropriate. However, such a conclusion would not be justified if the institution’s electronic banking systems use single-factor authentication as their only control for high-risk transactions involving access to customer information or the movement of funds to other parties.” There you go, clear as mud.
More identity theft and user authentication resources