New guidelines published in the US this summer by the Federal Financial Institutions Examination Council (FFIEC) strongly advised banks that they should offer multi-factor authentication to corporate customers by January 2012.
The guidelines were presented as a supplement to an official guidance document entitled 'Authentication in an Internet Banking Environment' first published by the FFIEC in 2005.
For those unfamiliar with the FFIEC, its ‘advice' is not really something that can merely be kicked around for consideration; the council is a formal inter-agency body "empowered to prescribe uniform principles and standards for the federal examination of financial institutions" by numerous public agencies. It also makes recommendations to promote uniformity in the supervision of financial institutions.
The guidelines also make it clear that US financial institutions should implement a layered approach to security for high-risk online systems. US banking regulators are scheduled to start assessing financial institutions at the beginning of the New Year against these new guidelines; non-compliance may result in hefty regulatory fines.
So as the banking and security industries across the Atlantic meet this multi-factor authentication challenge head-on, there are obvious questions to be asked here in the UK: will the UK banking sector lose its perceived online security lead on the US? Will the UK follow suit with regulatory guidance (and, if so, when)? What are the overall ramifications for the UK security industry?
First, logic suggests that with such a significant step being taken in the US to make multi-factor authentication the standard for business banking customers (initially), it will only be a matter of time before the UK banking security industry follows suit. The US is essentially setting a best-practice precedent, meaning that the UK banking industry cannot afford to be left behind. After all, if online banking fraud becomes more difficult state-side, then comparatively less secure UK bank accounts might witness an increase in fraud activity.
It could be argued that the UK banking sector is presently ahead of the US, with some UK banks already deploying token-based two-factor authentication (2FA) solutions to corporate customers and higher-value personal account-holders. There are still many cases in the UK, however, where access is still only secured by username, password and memorable data, and in light of the new US legislation, these bank accounts could become a soft target for criminal activity.
Regardless of whether the UK follows America's lead and goes down the route of regulatory guidance in the short, mid or long term, developments in the US seem pretty certain to impact the UK security industry in a rather positive way.
In the unlikely event that this development leads only the domestic US market to observe the new guidelines, a natural progression for banks following the FFIEC's ‘advice' to offer enhanced security to corporate customers would be to roll out multi-factor authentication for personal accounts too. After all, the banking industry is highly competitive and financial institutions have to be seen to take the security of all accounts very seriously, not just those of the more lucrative corporate and individual customers.
An ‘all banking customer' roll-out for multi-factor authentication in the US would not only result in a likely shift of fraud activity to other geographical regions (potentially stimulating further demand for strong authentication solutions globally), but would also mean that multi-factor authentication suddenly becomes ‘mass-market'.
Consumers worldwide will become more acutely aware of the mechanism which offers them higher levels of protection against online banking security threats, and it will come to be expected as the norm. If it hasn't already done so by that point, the UK banking industry will have no other option than to follow suit. The result? The use of usernames and passwords to protect our bank accounts online will finally, and thankfully, become a thing of the past, and creativity and competition will be stimulated within the security industry as new market opportunities emerge.
Perhaps a less considered, but equally possible, result of these guidelines from the FFIEC is that they will trigger the beginning of the end for token-based multi-factor authentication platforms. Banks that need to deploy multi-factor authentication solutions across a wide-scale customer base will seek to invest in robust solutions that are not only scalable, but cost-effective.
Consideration must also be given to the roll-out of multi-factor authentication for online banking from a user's perspective. Most people will have a relationship with a multitude of financial institutions, thanks to the extensive choice of banking products (current accounts, savings accounts, credit cards and mortgages, for example) from many different providers. Individuals would soon become overwhelmed if they were required to carry around multiple authentication tokens; one for each banking service. This would be an entirely impractical and inconvenient approach. It would also prove very costly for banks.
In my opinion, what is happening now in the US will most likely influence the progress made by the UK banking security sector in the months and years ahead. UK banks that stand to gain the most are those which are seen to be innovating now, at the early adopter stage.
They will be the ones that take the lead in proving that their key priority is managing and reducing the online banking risks of all customers. In turn, this development represents a huge opportunity for security providers; we could be witnessing the birth of a significant security upgrade within the UK and global banking industry.
So it's all eyes on the US as we wait to see whether the FFIEC guidelines will truly be a catalyst for change. We could be on the verge of a banking security revolution.
Chris Russell is vice-president of technology at Swivel Secure