On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC) issued new guidance, titled “Authentication and Access to Financial Institution Services and Systems” (“Guidance”), which provides examples of effective authentication and access risk management principles and practices for financial institutions. The principles and practices relate to access to digital banking services and information systems by customers (consumer and business), employees, third parties, apps, and devices.
The Guidance from the FFIEC, whose members include representatives from the federal banking agencies and the CFPB, replaces two earlier FFIEC guidance documents: (1) Authentication in an Internet Banking Environment, issued in 2005, and (2) Supplement to Authentication in an Internet Banking Environment, issued in 2011. Both the 2005 and 2011 guidance provided risk management practices for financial institutions offering internet-based products and services. The updated Guidance comes at a time of heightened regulatory scrutiny regarding cybersecurity and the potential impact on the country’s financial sector. The Guidance acknowledges the emerging cybersecurity threat landscape, which reinforces the need for financial institutions to effectively authenticate customers, as well as the expansion of authentication considerations beyond customers to include employees, third parties, and system-to-system communications.
Among other things, the Guidance:
- Highlights the cybersecurity threat environment, including remote access by customers and users, attacks that leverage compromised credentials, and risks from push payment capabilities;
- Recognizes the importance of a financial institution’s risk assessment to determine appropriate user access and authentication practices;
- Supports financial institution adoption of layered security; and
- Addresses how multi-factor authentication or similar controls can mitigate risks more effectively than single-factor authentication.
An Appendix to the Guidance provides examples of practices or controls related to access management and authentication, as well as a list of resources to assist financial institutions with authentication and access management.
Particularly noteworthy, the FFIEC indicates that the Guidance is neither an endorsement nor a “comprehensive framework” for any specific information security identity and access program. In addition, according to the FFIEC, the Guidance is intended to apply not only to financial institutions, but also to any third party acting on behalf of a financial institution that provides the accessed information systems and authentication controls. These FFIEC positions are not surprising in light of (1) the myriad of information security standards in use in the market and (2) financial institutions’ use of, and partnership with, third parties (e.g., data aggregators) to provide authentication and access services. Fintechs working with financial institutions should expect a push down of enhanced authentication and access requirements.
 The Guidance also comes at a time of increased scrutiny on authentication practices from the federal banking agencies. For example, the Federal Reserve recently started a series of research briefs on authentication fraud, with a particular focus on the payments landscape.