FFIEC's guidance is mostly aimed at dealing with current threats such as phishing, said Chad Graves, vice president of IT at the Ent Federal Credit Union, in Colorado Springs. Since Oct. 1, the credit union has required its 18,000 members to use a multi-factor authentication process based on technology from Corillian, located in Hillsboro, Ore.

Based on a risk assessment, there appears to be no immediate need to extend that sort of authentication to the transaction level, Graves said. "Right now, our highest risk at the transaction level is an outbound bill pay," he said. But in the future, if the credit union decides to implement electronic clearing house or wire transfer transactions, it will consider transaction controls.

Financial institutions will also need to pay close attention to securing their phone-based transactions said Gwenn Bezard, research director for the Aite Group, a Boston-based consultancy focused on technology issues in the financial industry. "The way banks authenticate customers through the phone is weak," Bezard said. "Fraudsters will soon start finding it more difficult to compromise online channels, so they will migrate to the phone channel where the defenses are weaker and the opportunities for social engineering are greater," he said.

Such threats have not become a big issue yet in the financial industry, so there may be a tendency to see FFIEC's guidelines as adequate, Bezard said. "But is it going to be adequate in 12 months, or 18 months? Fraudsters adapt pretty quickly, so they will find new ways to attack. So sooner rather than later these measures are going to become obsolete."