The main purpose of the FDIC (Federal Deposit Insurance Corporation), at least as far as consumers are concerned, has always been the protection and insurance of savings. In simple terms, if a bank were to go bust, its customers would still get their money back. But bankruptcy is not the only concern that should keep consumers alert. In today’s world banks are getting increasingly concerned about the physical theft of confidential client data by insiders or impostors. FDIC is taking steps in protecting consumers from identity theft — in particular, persuading financial organizations to keep beefing up their security.

Working with other federal regulators, for example, the FDIC proposed a number of actions against identity theft that it recommended banks, credit unions, and other financial organizations implement by the end of 2006.

Those recommendations included:

- Making sure financial institutions have fraud detection processes in place to detect bank fraud and identity theft, especially for online banking activities (seems like a no-brainer to me).

- Going beyond simply using passwords as a way for users to identify themselves (this is too easy — maybe I should go work for the FDIC). Suggestions included everything from more challenging security questions (like — believe it or not — “What’s your dog sitter’s cousin’s therapist’s mother’s maiden name?”) to the use of electronic tokens.

As I hope you’ve experienced, many financial institutions have started using better identification systems to protect their consumers against identity theft fraud.. For example, your bank or credit union probably uses one of those image-based verification systems — ones that require you to confirm the answer to a very specific and personalized question that only you can answer.

And while the FDIC recommends that banks notify customers whenever they introduce new verification or authentication technologies, they’re not required to. In fact, financial institutions are not required to adopt any of these recommendations for identity theft policy because they’re exactly that — only recommendations.

What’s even scarier?, More than 17 years ago, I was working on security projects throughout Europe that involved offering bank customers both authentication and verification options to prevent identity theft fraud — like, for example, tokens and even voice recognition — to provide protection for online bank accounts.

So why is it taking so long for American financial institutions to get the message? And why does it seem like all their efforts are more about “gentle persuasion” instead of more rigorous mandates and enforcement? Makes you wonder whose side the FDIC is really on, doesn’t it?