On August 11, 2021, the Federal Council for Financial Institutions Examinations (FFIEC) Posted New advice, entitled “Authentication and access to services and systems of financial institutions(“Guidelines”), which provides examples of effective authentication and access risk management principles and practices for financial institutions. The principles and practices relate to access to digital banking services and information systems by customers (consumers and businesses), employees, third parties, applications and devices.
The FFIEC Guide, whose members include representatives of federal banking agencies and the CFPB, replaces two previous FFIEC guidance documents: (1) Authentication in an online banking environment, issued in 2005, and (2) Supplement to authentication in an Internet banking environment, published in 2011. The 2005 and 2011 guidelines provided risk management practices for financial institutions offering Internet products and services. The updated guide comes at a time of heightened regulatory oversight regarding cybersecurity and the potential impact on the country’s financial sector. The guide recognizes the emerging landscape of cybersecurity threats, which reinforces the need for financial institutions to effectively authenticate customers, as well as the expansion of authentication considerations beyond customers to include employees, third parties and contractors. system-to-system communications.
Among others, the Guide:
- Highlights the cybersecurity threat environment, including remote access by customers and users, attacks that exploit compromised credentials, and risks associated with push payment capabilities;
- Recognizes the importance of a financial institution‘s risk assessment in determining appropriate user access and authentication practices;
- Supports adoption by financial institutions of layered security; and
- Explains how multi-factor authentication or similar controls can mitigate risk more effectively than single-factor authentication.
An appendix to the guidance document provides examples of practices or controls related to access management and authentication, as well as a list of resources to help financial institutions perform authentication and access management.
It is particularly interesting to note that the FFIEC states that the Guide is neither an endorsement nor a âglobal frameworkâ for a specific identity and access to information security program. Further, according to FFIEC, the Guide is intended to apply not only to financial institutions, but also to any third party acting on behalf of a financial institution that provides accessible information systems and authentication controls. These positions of the FFIEC are not surprising in light of (1) the myriad of information security standards used in the market and (2) the use and partnership by financial institutions with third parties (e.g. , data aggregators) to provide authentication and access. services. Fintechs working with financial institutions should expect a drop in improved authentication and access requirements.
 The guide also comes at a time when the authentication practices of federal bank branches are increasingly under scrutiny. For example, the Federal Reserve recently launched a series of research briefs on authentication fraud, with a particular focus on the payments landscape.