Six Months and Counting: Meeting FFIEC Authentication Regulations

With just six months left before financial institutions must comply with enhanced authentication, credit unions have their work cut out for them.


FFIEC Guidance states that financial institutions offering “internet-based financial services” must enhance authentication tools. Regulators expect institutions to “authenticate the identity of customers using online products and services.” The examiners will be reviewing progress, and they want compliance by year-end 2006 – yes…six months!

So where are we, as an industry, in the progression towards compliance? BAI Banking Strategies recently took a poll during their May conference to see where financial intuitions are in the process of implementing the new authentication regulations. According to the survey, about half are either ready (16%) or almost ready (35%). Another 39% say they have a game plan while 10% are still just researching.

How Ready is Your Organization for MFA?





Almost Ready


Have a Game Plan


Just Researching


Survey responses have also been categorized by asset range. Almost 99% of credit unions fall into BAI’s category for institutions under $1 billion. As shown in the chart below, most of the survey respondents at institutions under $1 billion in assets either have a plan or are still just researching. Barely any institutions at this range have implemented systems or taken action.

Increased Security as a Competitive Advantage

As financial institutions continue to roll out their programs over the coming year, consumers will become increasingly aware that more stringent requirements are being put in place. While some financial institutions such as Bank of America have tried to leverage their enhanced security as a competitive advantage, in time this will become a standard expectation.

It is important for credit unions to not only implement advanced security, but thoroughly communicate the benefits to members. A recent survey conducted by Callahan’s Internet Strategy Consortium revealed that online members are less than satisfied with their credit union’s website security, primarily because they don’t know about it. Implementing a multi-factor authentication program offers a great opportunity to inform members about the credit union’s security features and reassure them of the safety and benefits of the online channel. The risk is that members who are less aware will assume that safeguards do not exist, and turn to another financial institution that they perceive has greater security.

UW Credit Union – Branding Multi-Factor Authentication

Some credit unions have met FFEIC compliance already and stand out as great examples. One is UW Credit Union ($850M, Madison, WI), which has not only implemented a multi-factor authentication system but also created a brand for it – VerifyU. According to Eric Bangerter, Director of Internet Services, the importance of branding for their authentication lies in having their members aware that enhanced security is in place. The logo for VerifyU appears during enrollment, at login, and during a challenge. As UW rolls out new enhancements, these will also carry the logo and brand. This helps reassure members that the credit union is not only concerned about security but is implementing sufficient protections.

With FFEIC regulation deadlines looming, credit unions should be thinking about implementation now. To hear more about how Eric Bangerter and UW Credit Union implemented their authentication tools, attend Callahan & Associates’ Credit Union IT Security: Evaluating and Managing Risk  webinar, sponsored by Corillian.