Standards, Regulations & Compliance

The FFIEC Guidance: What You Need to Know Now About Out-of-Band Authentication

The FFIEC Guidance: What You Need to Know Now About Out-of-Band Authentication
As bank examiners begin applying the updated FFIEC Authentication Guidance, many financial institutions will find that their current security practices do not stand up against the strengthened requirements. Arm yourself with the knowledge you need to begin shoring up your authentication controls before your next bank exam.

Register for this webinar from out-of-band authentication provider PhoneFactor to learn:

  • Why many of the security measures currently in place are ineffective at protecting against current online banking threats;
  • The role of out-of-band authentication and transaction verification as security controls;
  • How First Midwest Bank put the FFIEC's recommendations in place, switching from security tokens to out-of-band transaction verification with great success.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors


The 2011 supplement to the FFIEC Guidance on Internet Banking Security provides an updated view of best practices for securing online banking based on today's threat landscape. The concepts addressed in the supplement are widely recognized by the financial services industry to be critical to preventing online banking fraud.

Examiners began using these enhanced expectations beginning in January 2012. These include:

  • Layered Security: The concept of Layered Security extends security controls beyond the initial session login to include online banking transactions and administrative functions. This is driven by an increase in real-time attacks that target transactions, such as ACH, wire transfer, and payroll payments. A high level of importance has been placed on identifying suspicious transactions. To minimize the impact on customers, this must be coupled with an easy and effective means for customers to approve legitimate transactions. For many, this involves migrating away from OTP tokens, which the FFIEC points out, have proven to be vulnerable to attack. Instead, financial institutions will need to look to methods like fully out-of-band technologies that can be used to verify logins, transactions, and administrative functions and offer protection from keyloggers and MITM/MITB attacks.
  • Stronger Authentication Methods: In addition, the updated guidance calls for an overall strengthening of authentication technologies. It notes that out-of-band authentication has taken on a new level of importance given the preponderance of malware running on customer PCs, which can defeat OTP tokens, device identification, challenge questions, and many other forms of strong authentication. In particular, closed loop methods that complete the authentication in an out-of-band channel are seen as offering a greater level of security.
This webinar will present real-world examples, starting with a case study from First Midwest Bank, of how financial institutions can leverage out-of-band transaction verification to meet the strengthened requirements set forth in the updated Guidance before their next bank examination.

Webinar Registration

Premium Members Only

OnDemand access to this webinar is restricted to Premium Members.

Join Now to Access
Have an account? Sign in.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.