FFIEC issues updated guidance on authentication and access

Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ballard Spahr LLP

The Federal Financial Institutions Examination Council (FFIEC) has issued new guidance on authentication and access titled, “Authentication and Access to Financial Institution Services and Systems” (Guidance.)  The Guidance is intended to provide financial institutions with examples of effective risk management principles and practices for access and authentication.

The Guidance contains risk management principles and practices that can support a financial institution’s authentication of (1) users accessing the financial institution’s information systems, including employees, board members, third parties, service accounts, application, and devices (collectively, users) and (2) business and consumer customers (collectively, customers) authorized to access digital banking services.  The Guidance, which replaces previously issued 2005 and 2011 FFIEC guidance, is not intended to serve as a comprehensive framework for identity and access management programs and does not endorse any specific security framework or standard.  However, the Guidance is applicable not only to financial institutions, but also applies to any third party service provider acting on a financial institution’s behalf.

The Guidance begins with a discussion of the “threat landscape” faced by financial institutions.  It observes that the evolution of new technologies and broadly-used access points has expanded the system entry or access points through which an attacker can compromise a financial institution.  It also observes that certain authentication controls that were previously effective no longer provide a sufficient defense against evolving and increasingly sophisticated methods of attack.

The other topics addressed by the Guidance are:

  • Risk assessment to determine appropriate authentication techniques and access management practices, including examples of effective risk assessment practices
  • Layered security controls
  • Multi-factor authentication as part of layered security
  • Monitoring, activity logging, and reporting processes and controls
  • Email systems and internet browsers
  • Call center and IT help desk authentication
  • Data aggregators and other customer-permissioned entities providing services to customers
  • User and customer awareness and education

The Guidance includes an Appendix that lists examples of practices or controls related to access management, authentication, and supporting controls.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide