In August, the FFIEC (US Federal Financial Institutions Examination's Council), released a FAQ on their upcoming end of 2006 deadline for financial institutions "Authentication in an Internet Banking Envrionment". I am referencing it here for readers who want to keep up with the regulations that US financial institutions must comply with.
Some things to note in the US:
1. Telephone banking is included in the regulations.
2. Multi-factor authentication is not required. The note says that "The use of
multifactor authentication is one of several methods that can be used to mitigate risk as discussed in the guidance. However, the guidance identifies circumstances under which the Agencies would view the use of single-factor authentication as the only control mechanism as inadequate and conclude that additional risk mitigation is warranted."
This regulation is a general wakeup call to US Financial institutions. However, the regs are very vague and it will likley not seriously slow down identity theft in the US. Many banks have already deployed transaction authentication as a means of reducing their risk.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us