FFIEC Issues Updated Guidance on Authentication and Access to Financial Institution Services and Systems

A.J.S. Dhaliwal, Moorari Shah
Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Sheppard Mullin Richter & Hampton LLP

On August 11, the Federal Financial Institutions Examinations Council (FFIEC) issued new guidance, providing examples of effective authentication and access risk management principles and practices for financial institutions.  The principles and practices relate to access to digital banking services and information systems by customers, employees, and third parties accessing digital banking services and financial institution information systems.  The FFIEC — whose voting members include representatives from the FDIC, the NCUA, the OCC, the CFPB, the Federal Reserve Board, and the State Liaison Committee — issued the guidance as an update to prior submissions from 2005 and 2011.

Among other things, the guidance:

  • Highlights the current cybersecurity threat environment including increased remote access by customers and users, and attacks that leverage compromised credentials; and mentions the risks arising from push payment capabilities.
  • Recognizes the importance of the financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
  • Supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
  • Discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
  • Includes examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management.

According to the FFIEC, the guidance is meant as neither an endorsement nor a “comprehensive framework” for any specific information security identity and access program, and is intended to apply not only to financial institutions, but also to any third-party acting on behalf of a financial institution that provides the accessed information systems and authentication controls.

Putting It Into Practice:  Financial institutions and their third-parties would be well-served to review their controls and procedures, including risk management practices that support oversight of identification and authentication, how to periodically evaluate the effectiveness of user and customer authentication controls, and what processes are in place to monitor, log, and report activities to identify and track unauthorized access.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide