The Federal Financial Institutions Examination Council released new Internet security guidelines in October 2005 requiring banks with an Internet presence to examine risks of fraud and miause of customer information, and take steps to mitigate that risk. Those assessments and security protocols are supposed to be in place by the end of this year.

And while several large banks that operate in Nevada say they have already rolled out new security features that meet the FFIEC guidelines, one analyst predicts that won't be the case for every bank.

"I think, actually, a majority of banks are going to have a problem meeting the deadline," said George Tubin, a senior analyst specializing in Internet banking for TowerGroup Delivery Channel. "I think a lot of banks are still a little bit confused on exactly what is being required ...

"The largest banks will have fully complied with the guidance or will be extremely close to doing so."

Tubin said the risk assessment portion of the guidance is a key component.

Once banks have identified all the ways customers - or hackers - can access personal information, they must implement technology to protect personal and financial information from criminals.

The hard part is deciding how.

For many banks, dual authentication systems are the choice.

Business Bank of Nevada announced last month that it has implemented a multi-factor authentication security system for its "Always On Banking" Internet site.

"The whole idea is to make it more difficult for hackers ... to get into the Web site and take your information," said Larry Charleton, chief financial officer of Business Bank. "We're proud to be able to do it to protect our customers and we recognize the risk that exists, unfortunately, in the electronic world today."

And with global fraud loses for the financial services industry estimated at $50 billion a year, 10 million Americans were victims of identity theft fraud schemes and 2 million Internet users were victim of some kind of account hijacking, according to Fidelity National Information Services.

Tubin said many banks will eventually implement technologies that go beyond the FFIEC requirements.

"When someone wants to log onto their online banking account, they use a username and password," which can easily be stolen, Tubin said. "So it's appalling that that's all banks require for people to log onto online banking."

But he said it's also important to banks to implement technology that doesn't make the site cumbersome for customers to use.

Business Bank opted to contract with California-based PassMark Security, the same company used by Bank of America.

For Business Bank, the technology uses randomly selected images and challenge questions, and identifies the user by his or her IP or MAC address as well as a username and password.

Bank of America's site uses a SiteKey, an image along with a short phrase and three challenge questions.

BofA rolled out the security measures in June 2005, before the FFIEC guidance was released. The features were introduced in Las Vegas in August 2005.

Deployment was complete for its more than 20 million Internet banking customers by early 2006, according to Betty Reiss, a BofA spokeswoman.

And Reiss said that although BofA is in compliance with the FFIEC guidlines, the company considers account security to be an ongoing process. She said the bank will continue to roll out additional security features.

Both BofA and Business Bank representatives said customers appreciate the new security features.

Jim Smith, executive vice president of Internet channel and products for Wells Fargo, said his company also uses a layered approach to keep customer data safe.

Wells Fargo also watches patterns of use for each online account to look for abnormal usage, as well as where users sign in.

But perhaps most importantly, said Smith, Wells Fargo watches what criminals are doing.

"We're trying to stay two steps ahead of them and keep our customers safe and secure," Smith said.

Wells Fargo uses Server Gated Crypto with 128-bit encryption for both its public and private sites.

"It's the right thing to do for our customers," he said.

Business Bank and Wells Fargo also have added layers of protection for high-risk transactions and customers.

Accounts that perform wire and ACH transfers also require one-time password generation devices.

At Wells Fargo the service has been available in some form since 2000, and Business Bank rolled out password generating tokens for customers of its online cash management system, "Always On Cash Management" last month.

Business Bank has about 100 customers who perform large wire transfers online, and for those customers a token smaller than a pager will produce a one-time-use code when they enter their password into the site, which also recognizes the user's location.

While most large banks have already rolled out their new security features, those that haven't may face visits from auditors in 2007.

Tubin, the TowerGroup analyst, said he thinks auditors that find progress toward a completed risk assessment and upgraded security features are likely to avoid serious, but yet-to-be-named penalties.

But for those banks that haven't moved toward compliance, Tubin said it could eventually affect rates if insurance premiums go up because of non-compliance.

"It's a lot for banks to do. It's not an easy guidance to interpret and implement," Tubin said. "If a bank has been working diligently and likely they will have everything fully implemented early in 2007, chances are the auditor will be fine with that."