FFIEC publishes updated guidelines on authentication and access to services and systems of financial institutions | Sheppard Mullin Richter & Hampton LLP


On August 11, the Federal Financial Institutions Examining Board (FFIEC) released new advice, providing examples of effective authentication and access risk management principles and practices for financial institutions. The Principles and Practices relate to access to digital banking services and information systems by customers, employees and third parties accessing digital banking services and information systems of financial institutions. The FFIEC – whose voting members include representatives from the FDIC, NCUA, OCC, CFPB, Federal Reserve Board, and State Liaison Committee – released the guidelines as an update to previous submissions by 2005 and 2011.

Among other things, the orientation:

  • Highlights the current environment of cybersecurity threats, including increased remote access by customers and users, and attacks that exploit compromised credentials; and mentions the risks associated with push payment capabilities.
  • Recognizes the importance of financial institution risk assessment in determining appropriate access and authentication practices to determine the broad range of users accessing financial institution systems and services.
  • Supports financial institution adoption of layered security and highlights weaknesses in single-factor authentication.
  • Explains how multi-factor authentication or equivalent strength checks can more effectively mitigate risk.
  • Includes examples of authentication controls and a list of government and industry resources and references to help financial institutions manage authentication and access.

According to FFIEC, the guidelines do not constitute an endorsement or an “overarching framework” for a specific identity and information security access program, and are intended to apply not only to financial institutions, but also to financial institutions. any third party acting on behalf of a financial institution that provides accessible information systems and authentication controls.

Put into practice : Financial institutions and their third parties would be well served to review their controls and procedures, including risk management practices that support oversight of identification and authentication, how to periodically assess the effectiveness of authentication controls users and customers, and what processes are in place to monitor, record and report activities to identify and track unauthorized access.


Comments are closed.