This all started with the first supplement the FFIEC put out regarding authentication in an internet environment in 2005[1]. This initial supplement was put out to clarify what was expected of banks especially with regards to the FFIEC examination handbooks regarding e-banking[2] and information security[3]. (This all began with 12CFR30B[4][5])
Are you familiar with reading federal regulator-ese? They do not ever come out and make blanket statements such as use XYZ, ensure X bit keys and so on. The entire process is based on the banks and the examiner's interpretation of the bank's risk profile. If you are interested in learning more about this reading some of the banking industry press coverage at the time may be easier to digest.
[5] I say 12cfr30b because that is what got the ball rolling for OCC regulated banks and at the time I worked for an OCC regulated bank. Depending on who the regulator (OTS, NCUA, etc) is the "ball rolling document" will be different.
Are you familiar with reading federal regulator-ese? They do not ever come out and make blanket statements such as use XYZ, ensure X bit keys and so on. The entire process is based on the banks and the examiner's interpretation of the bank's risk profile. If you are interested in learning more about this reading some of the banking industry press coverage at the time may be easier to digest.
[1] http://www.ffiec.gov/bsa_aml_infobase/documents/new_5_2007/O...
[2] http://ithandbook.ffiec.gov/it-booklets/e-banking.aspx
[3] http://ithandbook.ffiec.gov/it-booklets/information-security...
[4] http://ithandbook.ffiec.gov/media/21989/occ-12cfr30-safe_sou...
[5] I say 12cfr30b because that is what got the ball rolling for OCC regulated banks and at the time I worked for an OCC regulated bank. Depending on who the regulator (OTS, NCUA, etc) is the "ball rolling document" will be different.