The Federal Financial Institutions Examination Council lastsummer released the supplement to its “Authentication in anInternet Banking Environment” guidance, which was first issued bythe FFIEC in 2005.

The deadline for meeting the new requirements is now andexaminations with the new guideline are getting under way.

These updates of the FFIEC regulations specifically addressmember authentication, layered security and other controls in thegrowing online environment.

Listed below are five major questions about compliance with theFFIEC's recent guidance on banking authentication that every creditunion should be aware of prior to implementing a solution.

What does “layered security” actually mean?

“Layered security' refers to the arrangement of fraud tools in asequential fashion. A layered approach starts with the mostsimple, benign and unobtrusive methods of authentication andprogresses toward more stringent controls as the activity unfoldsand the risk increases.

What does “multi-factor” authentication actuallymean?

A simple example of multi-factor authentication is the use of adebit card at an ATM machine. The plastic debit card is anitem that you must physically possess to withdraw cash, but thetransaction also requires the PIN number to complete thetransaction. The card is one factor, the PIN is a second. Thetwo combine to deliver a multi-factor authentication.

Who does this guidance affect? And does it affecteach type of credit grantor/ lender differently?

The guidance pertains to all financial institutions in the U.S.that fall under the FFIEC's influence. While the guidancespecifically mentions authenticating in an online environment, it'sclear that the overall approach advocated by the FFIEC applies toauthentication in any environment.

What will the regulation do to help mitigate fraud riskin the near-term and long-term?

The guidance is an important reinforcement of several criticalideas: Fraud losses undermine faith in our financial system. Fraudtactics evolve constantly and the tools that combat them have toevolve as well. The guidance provides a perspective on why it isimportant to be able to understand the risk and to respondaccordingly.

How are organizations responding?

Experian estimates that less than half of the institutionsimpacted by this guidance are prepared for theexaminations. Many of the fraud tools in the marketplace,particularly those that are used to authenticate individuals weredeployed as point-solutions. Few support the need for a feedbackloop to identify vulnerabilities, or the ability to employ arisk-based, 'layered' approach that the guidance is seeking.

Christopher Ryanis a senior fraud business consultant with Experian'sGlobalConsulting Practice.