FFIEC Compliance Guidelines

The increase of sophisticated threats for criminals gaining unauthorized access to online banking accounts led The Federal Financial Institutions Examination Council (FFIEC) to issue a supplement to its 2005 Authentication in an Electronic Banking Environment guidance.  The supplement, released in June 2011, is intended to provide more specific information around authentication technologies and establish minimum controls for Banks to follow to better address the higher authentication risks they now face.  FFIEC compliance is considered to be a layered approach to security and is not limited to one specific technology but rather a bunch of different tactics and strategies working together.

Related to identity verification is a section on the effectiveness of certain authentication technologies, including challenge questions.  Specifically the FFIEC compliance supplement states that Banks should no longer consider shared secret challenge questions to be an effective risk mitigation technique.

Instead Banks should use “out of wallet” questions (sometimes referred to as dynamic knowledge-based authentication) because these are more sophisticated than simple “What’s your mother’s maiden name?” and “Where did you graduate from high school?” type of questions and cannot be easily answered by an imposter.

IDology’s out of wallet solutions ExpectID IQ and ExpectID Enterprise help Banks meet the FFIEC compliance guidelines.  Both of these dynamic KBA solutions can be deployed easily and quickly either in an online banking system or in a call center.

How IDology’s Out of Wallet Solutions Work:

ExpectID IQ and ExpectID Enterprise offer a Bank the ability to dynamically generate questions that are used to verify the identity of someone.  The difference between them depends on what type of questions you want to ask.  ExpectID IQ generates questions using IDology’s data sources while ExpectID Enterprise allows you to generate out of wallet questions based on your own proprietary data without having to share that data with us.  Both are effective at determining someone is who they claim to be while being supported by IDology’s robust fraud control features.

IDology’s Benefits:

  • Allows you to comply with the FFIEC guidelines for effective authentication techniques
  • Dynamically generates out of wallet questions
  • Gives complete control over the question verification process, everything from number of questions presented to which data sources are used
  • Easily integrates with your existing technology and procedures
  • Provides consitency in verifying callers in your call center

Sample Applications:

  • Account Origination
  • Password Resets
  • Wire Transfers
  • Address Changes
  • Unusual Customer Activity
  • Anywhere you previously used a shared secret