Revised guidance on effective authentication and access risk management principles and practices related to digital banking services and information systems was issued Wednesday by the umbrella Federal Financial Institutions Examination Council (FFIEC).
The guidance replaces that issued in 2005 and 2011 on Internet-based services, focusing not only on customer access but also access by employees and third parties, the council said.
“This Guidance acknowledges significant risks associated with the cybersecurity threat landscape that reinforce the need for financial institutions to effectively authenticate users and customers to protect information systems, accounts, and data,” states the introductory portion of the guidance document. “The Guidance also recognizes that authentication considerations have extended beyond customers and include employees, third parties, and system-to-system communications.”
The council said the guidance:
- Highlights the current cybersecurity threat environment including increased remote access by customers and users, and attacks that leverage compromised credentials; and mentions the risks arising from push payment capabilities.
- Recognizes the importance of the financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
- Supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
- Discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
- Includes examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management.
The FFIEC guidance was issued on behalf of council members, which include a member of the Federal Reserve Board, the chairman of the Federal Deposit Insurance Corp. (FDIC); the chairman of the National Credit Union Administration (NCUA); the comptroller (currently “acting”) at the Office of the Comptroller of the Currency (OCC); the director (also “acting”) of the Consumer Financial Protection Bureau (CFPB); and the chairman of the State Liaison Committee.
FFIEC Issues Guidance on Authentication and Access to Financial Institution Services and Systems