I know I should know this but at the moment....it's just not coming to me!

Is there a regulation stating what requirements must be met for Online banking procedures involving the password expiration? We have ours set to expire every 90 days but have double authentication in place with security questions. So do we really need to have the password expiration? Some banks don't require it so I am trying to figure out why ours was set up that way....filling in the shoes of someone before me.

Would appreciate hearing from anyone as I need to bring this up to the Officer's and then Directors if we want to change it and realize the risk involved to our customers.

Thanks!

I use three banks, one small community bank, one large national bank, and one online only bank.

None of the three mandate password changes for online banking.

Ours expire every 180 days.

FFIEC guidance tells you your password needs to change periodically, 90 days, but there is no such requirement for your customers. You may opt to impose one.

Two schools of thought are that it may prompt the sticky note on the monitor with the password, and it may upset your customer, BUT it certainly makes it safer for online banking. Educating your customer as to why this is so may make it more palatable. I also think it will force them to have a different IB password than they use for Facebook. I used to be against such a requirement. After helping write Tech Talk and seeing more breach stories, my opinion has changed. The threat environment is greater than it was a few years ago.

http://www.bankersonline.com/technology/techtalk.html (You can see the current copy here, link to Archives, and the free subscription.)

Our examiners made us put in a password change for our Internet Banking and our telephone banking product. But I don't remember what the timeframe is.

We post a recommendation to change passwords on our On-Line banking site but do not force password changes