The Federal Financial Institutions Examinations Council onTuesday issued a supplement to its Internet banking authenticationrecommendations.

The new document updates guidance issued in 2005. The FFIEC doesn'trecommend any specific software solutions in the report but said ithas instructed its member agencies, including the NCUA, to formallyassess financial institutions based on the new guidance beginningin January 2012.

“The continued growth of electronic banking and greatersophistication of the associated threats have increased risks forfinancial institutions and their customers. Customers and financialinstitutions have experienced substantial losses from onlineaccount takeovers,” the FFIEC document said.

“Effective security is essential for financial institutions tosafeguard customer information, reduce fraud stemming from thetheft of sensitive customer information, and promote the legalenforceability of financial institutions' electronic agreements andtransactions,” it said.

The 12-page report notes that not all transactions in thegrowing online channel involve the same measure of risk andrecommends financial institutions increase the strength of theircontrols as the risk increases.

“I just finished reviewing the FFIEC guidance issued today. Itlooks like good progress compared to the open-ended nature of the2005 recommendations. Most big banks are already doing the taskslaid out,” said Steven Kietz of Woodbury Advisors in New York, aformer executive with JP Morgan Chase, Citigroup and Mobile MoneyVentures.

“I would like to see more specific requirements to preventfraud, like tokens and using text messaging to issue one-timepasswords,” Kietz added.

The report does provide some detail of FFIEC's expectations,including layered security programs that involve fraud detectionand monitoring systems, dual customer authorization throughdifferent access devices, out-of-band verification fortransactions, and debit blocks and other techniques to screen orlimit the amount of transactions.

Detection of transaction anomalies also was heavily stressed andincluded in the measures the FFIEC said it expected financialinstitutions to use “at a minimum.”

“Based upon the incidents the agencies have reviewed, manual orautomated transaction monitoring or anomaly detection and responsecould have prevented many of the frauds since the ACH/wiretransfers being originated by the fraudsters were anomalous whencompared with the customer's established patterns of behavior,” thenew guidance said.

And while also adding the need for financial education as atool, and the constantly updated use of anti-malware software, theFFIEC said it realized that no defenses have proved totallysecure.

“It is important to note, that none of the controls discussedprovide absolute assurance in preventing or detecting a successfulattack,” the council's report said.

The FFIEC makes policy recommendations to attempt to achievegreater uniformity in regulatory policies. It is made up ofrepresentatives from five federal regulatory agencies and onerepresentative of state regulators.

Debbie Matz chairs the FFIEC, the first National Credit UnionAdministration chairman in that post. The agencies representedare the NCUA, the Federal Deposit Insurance Corp., the Office ofthe Comptroller of the Currency, the Office of Thrift Supervisionand the State Liaison Committee.