FFIEC Issues Updated Guidance On Authentication And Access To Financial Institution Services And Systems

Morrison & Foerster LLP
Contact

Morrison & Foerster LLP

On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC) issued new guidance, titled “Authentication and Access to Financial Institution Services and Systems” (“Guidance”), which provides examples of effective authentication and access risk management principles and practices for financial institutions. The principles and practices relate to access to digital banking services and information systems by customers (consumer and business), employees, third parties, apps, and devices.

The Guidance from the FFIEC, whose members include representatives from the federal banking agencies and the CFPB, replaces two earlier FFIEC guidance documents: (1) Authentication in an Internet Banking Environment, issued in 2005, and (2) Supplement to Authentication in an Internet Banking Environment, issued in 2011. Both the 2005 and 2011 guidance provided risk management practices for financial institutions offering internet-based products and services. The updated Guidance comes at a time of heightened regulatory scrutiny regarding cybersecurity and the potential impact on the country’s financial sector.[1] The Guidance acknowledges the emerging cybersecurity threat landscape, which reinforces the need for financial institutions to effectively authenticate customers, as well as the expansion of authentication considerations beyond customers to include employees, third parties, and system-to-system communications.

Among other things, the Guidance:

  • Highlights the cybersecurity threat environment, including remote access by customers and users, attacks that leverage compromised credentials, and risks from push payment capabilities;
  • Recognizes the importance of a financial institution’s risk assessment to determine appropriate user access and authentication practices;
  • Supports financial institution adoption of layered security; and
  • Addresses how multi-factor authentication or similar controls can mitigate risks more effectively than single-factor authentication.

An Appendix to the Guidance provides examples of practices or controls related to access management and authentication, as well as a list of resources to assist financial institutions with authentication and access management.

Particularly noteworthy, the FFIEC indicates that the Guidance is neither an endorsement nor a “comprehensive framework” for any specific information security identity and access program. In addition, according to the FFIEC, the Guidance is intended to apply not only to financial institutions, but also to any third party acting on behalf of a financial institution that provides the accessed information systems and authentication controls. These FFIEC positions are not surprising in light of (1) the myriad of information security standards in use in the market and (2) financial institutions’ use of, and partnership with, third parties (e.g., data aggregators) to provide authentication and access services. Fintechs working with financial institutions should expect a push down of enhanced authentication and access requirements.


[1] The Guidance also comes at a time of increased scrutiny on authentication practices from the federal banking agencies. For example, the Federal Reserve recently started a series of research briefs on authentication fraud, with a particular focus on the payments landscape.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP | Attorney Advertising

Written by:

Morrison & Foerster LLP
Contact
more
less

Morrison & Foerster LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.