On June 28, the Federal Financial Institutions Examination Council (“FFIEC”) issued its long-awaited guidance on how banks should protect against cybersecurity threats, supplementing the authentication guidance issued in 2005. The guidance notes that there have been significant changes in the nature and scope of cybercrime since 2005 and expresses concern that customer authentication methods and controls implemented in response to the 2005 guidance have “become less effective.”

The updated guidance states that “financial institutions should implement more robust controls as the risk level of the transactions increases” and that they “should not rely solely on any single control for authorizing highrisk transactions, but rather institute a system of layered security.” For example, a layered approach may include security controls, such as the use of dual customer authorization through different access devices, the use of out-of-band verification for transactions and IP reputation-based tools to block connections to banking servers from IP addresses known or suspected to be associated with fraudulent activities.