FFIEC publishes guidelines on authentication and access to services and systems of financial institutions | Man’s pepper with trout


On August 11, the Federal Financial Institutions Examination Council (FFIEC) issued guidelines entitled “Authentication and access to services and systems of financial institutionsWhich provides financial institutions with examples of effective authentication and risk management principles and practices for customers (businesses and consumers), employees and third parties accessing digital banking services and systems. information.

The FFIEC – whose voting members include representatives from the FDIC, NCUA, OCC, CFPB, Federal Reserve Board, and State Liaison Committee – released the guidelines as an update to previous submissions by 2005 and 2011 which provided financial institutions with practical risk management practices related to the provision of Internet products and services. FFIEC noted two changes over the past decade that prompted this analysis: (1) the current cybersecurity threat landscape, which has necessitated an increased need for effective customer authentication, and (2) the expansion of authentication considerations beyond customers to employees, third parties, and system-to-system communications.

The guidance focuses on the following key practices for developing and maintaining an effective authentication program:

  • Perform a risk assessment of access and authentication to digital banking and information systems, which may include inventories of information systems, digital banking systems, customers and transactions.
  • Identify all users and clients for whom authentication and access controls are required, and identify users and clients who can warrant enhanced authentication controls, such as multi-factor authentication (MFA).
  • Periodically assess the effectiveness of user and client authentication controls.
  • Implement layered security, which could include MFA or user timeout mechanisms to protect against unauthorized access.
  • Monitoring, logging and reporting activities to identify and track unauthorized access.
  • Identify risks and implement mitigating controls for messaging systems, Internet access, customer call centers and internal IT support departments.
  • Identify the risks associated with the access of a data aggregator or a customer authorized entity (CPE) to the information systems of a financial institution and implement mitigating controls for these.
  • Develop and maintain user and customer awareness and education programs on authentication risks.
  • Verify the identity of users and customers and detect fraudulent activity, such as synthetic identities and cases of identity theft.

The guide notes that an effective authorization program can support identity theft programs developed in accordance with the Red Flags rule, as well as customer identification programs developed to comply with the USA Patriot Act.


Comments are closed.