FFIEC Issues Guidance on Authentication and Access to Financial Institution Services and Systems

Christopher Capurso, Scott Kelly, Ronald Raether, Jr.
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

On August 11, the Federal Financial Institutions Examination Council (FFIEC) issued guidance, titled “Authentication and Access to Financial Institution Services and Systems,” which provides financial institutions with examples of effective authentication and access risk management principles and practices for customers (both business and consumer), employees, and third parties accessing digital banking services and information systems.

The FFIEC — whose voting members include representatives from the FDIC, the NCUA, the OCC, the CFPB, the Federal Reserve Board, and the State Liaison Committee — issued the guidance as an update to prior submissions from 2005 and 2011 that provided financial institutions with risk management practices related to offering internet-based products and services. The FFIEC noted two changes over the last decade that prompted this analysis: (1) the current cybersecurity threat landscape, which has necessitated an increased need for effective customer authentication, and (2) the expansion of authentication considerations beyond customers to employees, third parties, and system-to-system communications.

The guidance focuses on the following key practices in developing and maintaining an effective authentication program:

  • Conducting a risk assessment for access and authentication to digital banking and information systems, which might include inventories of information systems, digital banking systems, customers, and transactions.
  • Identifying all users and customers for which authentication and access controls are needed, and identifying those users and customers who may warrant enhanced authentication controls, such as multifactor authentication (MFA).
  • Periodically evaluating the effectiveness of user and customer authentication controls.
  • Implementing layered security, which could include MFA or user time-out mechanisms to protect against unauthorized access.
  • Monitoring, logging, and reporting activities to identify and track unauthorized access.
  • Identifying risks from, and implementing mitigating controls for, email systems, internet access, customer call centers, and internal IT help desks.
  • Identifying risks from, and implementing mitigating controls for, a data aggregator or customer-permissioned entity’s (CPE) access to a financial institution’s information systems.
  • Developing and maintaining user and customer awareness and education programs on authentication risks.
  • Verifying the identity of users and customers and detecting fraudulent activities, such as synthetic identities and instances of impersonation.

The guidance notes that an effective authorization program can support identity theft programs developed in compliance with the Red Flags Rule, as well as customer identification programs developed to comply with the USA Patriot Act.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide