I’ve been hearing this rumor for a while now, but we may actually be seeing something new from the FFIEC soon. Gartner is the latest to suggest that an update to the 2005 guidance on authentication is imminent.
In addition to updating it for technological advances since 2005, (Facebook and LinkedIn were in their infancy, and Twitter hadn’t even been launched), I hope it also addresses the increasing responsibility held by the customer, (both commercial and consumer) for data security. I continue to believe that there should be shared responsibility, and liability, for establishing and maintaining a secure electronic banking environment.
Reg. E protects the consumer, and so far the courts have held overwhelmingly in favor of the commercial customer as well. Will regulators extend Reg. E to commercial accounts, or place more responsibility on the customer? Could the new guidance further define “commercially reasonable”?
My guess is that we may not see much clarification on these issues, but we are likely to see additional burdens placed on the financial institution. For example, don’t be surprised to see customer education become more prescriptive, with the financial institution being responsible for it.