FFIEC Updates Guidelines to Financial Institutions for Authentication and Access | Cozen O’Connor


The Federal Financial Institutions Examination Council (FFIEC), an interagency body of major financial regulators, including the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency, recently issued updated guidance for financial institutions on recommended best practices for authentication of information systems and access management controls. Title Authentication and access to services and systems of financial institutions (available here), it replaces the previous FFIEC guide, Authentication in an online banking environment (2005) and Supplement to authentication in an Internet banking environment (2011).

The 2005 guidelines focused exclusively on authenticating customers to online banking systems. He stressed that financial institutions should use authentication methods commensurate with the risks associated with the products and services offered. He also said that regulators did not consider single-factor authentication adequate for high-risk transactions, which he described as transactions involving access to customer information or the movement of funds to customers. other parts. The 2005 guidelines also provided that financial institutions should adjust their controls based on their periodic risk assessments.

The 2011 guidelines aimed to update and amplify specific areas of the 2005 guidelines, such as risk assessments and layered security. In addition, it established minimum control expectations and identified certain controls that were found to be less effective. In addition, the 2011 guidelines identified most uses of online banking as high risk, as online banking transactions typically involved access to account information, payment systems, and interbank fund transfers. For mainstream customers, the 2011 guidelines recommended layered authentication checks. Layered security is the use of different controls, such as authentication controls, at different points in a system or transaction so that a weakness in one control is compensated for by a different control. However, for business customers, he recommended multi-factor authentication in addition to other layered authentication controls.

The 2021 guidance represents the next step in regulators’ approach to the subject as the threat environment and IT and security systems have evolved. The new guide covers authentication in three main areas. First of all, as in the previous guide, it deals with both business and personal clients using online banking systems. But the new directive extends its reach to users, such as employees, board members and service providers, who access the internal IT systems of a financial institution. Additionally, the 2021 guidelines address the authentication of service accounts, applications, and devices on a financial institution’s network.

The new guidelines take a more nuanced approach to high-risk situations. Previous guidelines focused on high-risk transactions, that is, transactions involving access to customer information or the movement of funds to other parties. In practice, this made virtually all use of online banking services high risk. The new directive provides that financial institutions must identify customers engaged in high-risk transactions, which it now describes as transactions with a higher risk of financial loss or potential breach of information for which authentication checks improved are justified. Factors that identify high-risk transactions include dollar amount and volume of transactions, sensitivity and amount of information accessed, finality of the transaction, and the likelihood and impact of fraud. The 2021 guidance also introduces the concept of high-risk users who might justify additional checks. When identifying high-risk users, financial institutions should consider a user’s access to critical systems and data, privileged users such as security administrators, remote access to systems, and users in key positions such as senior management.

Topics covered by the 2021 guidelines include:

  • perform a risk assessment for accessing and authenticating digital banking and information systems;
  • identify all users and clients for whom authentication and access controls are required;
  • identify customers involved in high-risk transactions that warrant enhanced authentication controls, such as multi-factor authentication;
  • identify high-risk users who warrant enhanced authentication controls, such as multi-factor authentication;
  • periodically assess the effectiveness of authentication controls;
  • implement layered security to protect against unauthorized access;
  • logging, monitoring and reporting of activities to identify and track unauthorized access;
  • identify and mitigate risks associated with messaging systems, Internet access (such as risks associated with unrestricted or unattended Internet use on financial institutions’ computers), customer call centers and computer support services;
  • identify and mitigate the risks associated with access by an entity authorized by the client (that is, a third party authorized by a client to access electronic account information) to the information systems of a financial institution;
  • maintain awareness and education programs on authentication risks for users and customers; and
  • verify the identity of users and customers.

The guide also includes a list of specific authentication and access management controls that financial institutions should consider using, such as device-based public key authentication, one-time passwords, and limits. rate on connection attempts. However, FFIEC cautions that the effectiveness of each control may vary over time as the threat landscape evolves. Thus, the controls employed must be reassessed periodically as ongoing assessments of the financial institution occur.

The application of the guidelines will vary depending on the operational complexity, technological capabilities, risk assessments and risk tolerances of each financial institution. Financial services clients should begin to assess whether their current authentication frameworks comply with the new FFIEC guidelines.


About Author

Leave A Reply