Multifactor Authentication: How One Small CU Complied with FFIEC Guidelines

Small credit unions face unique challenges. They must comply with new FFIEC guidelines and provide a solution that is not only cost-effective but convenient for members.


By Level 9


Financial institutions were put on notice in October 2005 when the FFIEC mandated all credit unions implement multifactor authentication by the end of 2006 for their online banking services. This regulatory issuance resulted in a lot of activity for the security vendors to come up with “complying solutions." Smaller credit unions were hit hardest because nearly all of the immediate solutions from security vendors were beyond their means. They were all prohibitively expensive, reserved for credit unions at the top 5 percent to 10 percent in asset size.

Vendors and leaders in the credit union technology community tend to seek a “standard solution” whereas the market seeks a “simple solution.” Standard solutions are usually expensive. In the pursuit of a solution there are really four subject areas that must be considered: FFIEC compliance, member impact and adoption, technology and installation, and cost.

The FFIEC does not endorse any one solution. There are many available options, ranging from biometrics, to hardware appliances, to software solutions. Any and every combination could (and probably will) be argued as “compliant.” There is no definitive technological approach. This leaves it up to us to determine what is best for our own institution’s needs. As a market, we’re doing what we always do; we’re waiting to see what others do and what works. The problem with this strategy is that small institutions can’t ever afford to do what big institutions do, so smaller institutions should look now to find inexpensive solutions for themselves.

Will the technology be well received and adopted by your membership? What happens if your solution is perceived by your membership as cumbersome or awkward? Will it reflect badly on you and will you lose customers? Does whatever solution you are considering require a significant change in user behavior? Do your members appreciate why you’re making changes? Do they understand that you are taking important measures to protect their identity and their money? How much of an obstacle would they be willing to accept as part of the solution you select in exchange for a heightened sense of security and a feeling that your credit union is doing everything they can to protect them?

What are the technology and installation requirements? Does it require new hardware, like a dedicated security server? Does it require a special configuration of your banking platform? Does it actually change or replace your existing login? Does it require your member to physically have something, like a device or token? Does it do more than it needs to? Does it require credit union manpower to install, test and deploy? Who is responsible for maintenance? Are there installation costs on top of usage costs? Is my core processor coming forward with a solution? Is my core processor’s solution acceptable or suitable for my use? Does my core processor need to be involved at all?

What should this cost, initially and ongoing? Should I have to pay for installation? How much? Should there be per user charges? What if my members are intense users of the online banking channel? Should I pay a premium? The real question is “Can I afford this solution?” For nearly all of the options currently on the market the answer is clearly no.

Any successful conforming solution must address all of these questions: Is it a compliant solution? Will my membership readily accept it and use it? Is it easy to install? Is it affordable? Clearly it’s not just about the technology. If the answer to any one of these questions is out of balance with the others, than whatever solution you deploy is self-defeating.

These realities create a very difficult mandate for smaller credit unions to meet, those institutions with less than $200M in assets. How do they proceed?

A Successful Solution

First Cheyenne Federal Credit Union ($26M in Cheyenne, WY) is a small credit union. It was the first credit union in its market, now a very competitive market with nine credit unions and numerous banks servicing a local population of approximately 55,000. Competition is fierce. Bill Helms, President of First Cheyenne Federal Credit Union is very tech savvy:

“Member acceptance and cost were the major determining factors when we chose our security solution. Many options were not appropriate, just far too expensive. We wanted a solution that’s easy to use, reliable, and one that fulfills our obligations to protect our member’s identity. Our members need to feel safe when they use our online services. This addresses that need better than all others,” says Helms.

Smaller credit unions are delicate structures. They, by necessity, must present a full docket of services to their membership, all the while operating under disproportionately strong operational constraints. In other words, they must present “a larger than life image” with a small supporting infrastructure.

First Cheyenne Federal Credit Union selected Safe2Login as their multifactor authentication solution. “Not only does it fulfill our multifactor authentication needs, it’s actually the best anti-phishing product out there,” says Helms. Additionally, Safe2Login is very easy to install. There is zero cost associated with the installation. “The real beauty is that this solution is realistically priced. We can actually afford it," says Helms.

The operational pressures on smaller credit unions are severe. Of course, they must comply with the FFIEC guidelines but do so in a manner that makes sense to them and their unique world. Luckily there is a solution well suited for their needs. is an award-winning web services technology CUSO providing custom application design and development services exclusively to credit unions. These services include: Safe2Login – winner of the CUNA Tech Council 2005 Future Forum “Best of Show” award - a Banking Login Mutual Authentication solution that conforms with the recent NCUA and FFIEC agencies issued guidance; knowledge management products and services; multi-language website support; advanced content management solutions; third-party integration services; and’s Behavior-Based Promotion Manager that provides online targeted marketing solutions which support campaign management with cross-selling intelligence.



This sponsored content article is provided to the credit union community for shared insights and knowledge from a recognized solutions provider in the industry. Please note that the views and opinions offered here do not reflect those of Callahan & Associates, and Callahan does not endorse vendors or the solutions they offer.

If you are interested in contributing an article on, please contact our Callahan Media team at or 1-800-446-7453.


Feb. 20, 2006


  • Not explanatory enough. For those of us in small CUs without the knowledge of what FiFec is looking for I am lost but I know I definetly need it.
  • Great solutions available from, completely unphishable. Once logging one with name/password, a one time password is texted/emailed/voicemailed automatically. Can also register a specific browser, too...
  • Safe2Login does not meet the FFIEC's definition of "true multi-factor authentication" because it simply validates more of "something the user knows", not "something the user has" or "something the user is". In addition, Sage2Login is ridiculously easy to compromise. Simply by refreshing the webpage 2 or 3 times, the fraudster can determine the correct Safe2Login key since it is the only one that re-appears each time the choices are presented.