Key highlights of the Guidance include:
- Conducting risk assessments for access and authentication to digital banking and information systems;
- Identification of all users and customers for which access and authentication controls are required, including those who may warrant enhanced authentication controls, such as multi-factor authentication;
- Periodic evaluation of access and authentication controls;
- Implementation of layered security to prevent unauthorized access;
- Monitoring, logging, and reporting of activities to identify and trace unauthorized access;
- Identification of risks from email systems, Internet access, customer call centers, and internal IT help desks, and implementing mitigating controls to address such risks;
- Identification of risks from customer-permissioned entities accessing information systems, and implementing mitigating controls regarding same;
- Maintaining awareness of and education on authentication risks for users and customers;
- Verification of the identity of users and customers.
Financial institutions considering updating their practices in light of this new Guidance may consider the following steps:
- Reviewing existing risk management policies and procedures to ensure proper inventories of devices, systems, software, digital banking services, users, and customers. Customers involved in high-risk financial transactions and users involved in high-risk activities may be assessed for additional or enhanced authentication controls.
- Identifying threats with reasonable probability of impacting systems, data, or user/customer accounts, as well as reviewing actual or attempted incidents of security breaches, identity theft, or fraud.
- Assessing adoption and implementation of layered security measures, such as multi-factor authentication, user time-out, network segmentation, monitoring, and transaction amount limits.
- Reviewing monitoring, logging, and reporting processes and controls.
- With regard to email systems and internet use, assessing implementation of secure configurations, multi-factor authentication, remote access controls, education and training of users, and software patches; reviewing implementation of software vendor and service provider controls for outsourced services; blocking browser pop-ups and redirects; and limiting running of scripting languages.
- Ensuring training of customer call center staff and IT help desk representatives to avoid social engineering techniques in resetting passwords or providing any other credentials.
- Updating customer awareness programs to guard against the latest phishing, social engineering, or other fraudulent activity, including confirmation of legitimacy of communications issued by the financial institution.
- Reviewing customer identity verification measures and considering implementation of methods focused on detecting fraudulent activities, such as impersonation, and avoiding dependence on knowledge-based questions to verify identity.
Potential Legal Issues
When considering the above measures, financial institutions should also consult with legal counsel to assess the potential legal implications associated with implementing changes to access and authentication procedures. Some of these issues may include:
- Directing an updated risk assessment, with third party vendors, of the impact of new measures on the financial institution's risk profile;
- Updating the financial institution's information security plan and/or incident response plan as required, including revising and updating table-top simulations and other plan testing measures;
- Notifying relevant insurance carriers as necessary;
- Reviewing third-party or vendor contracts to assess the impact of the adoption of new measures on performance, notification, or other contractual obligations;
- Documenting and retaining records related to training, customer awareness, and other risk-communication materials;
- Communicating with customers regarding new authentication requirements; and
- Ensuring consistency of description of security risks to customers in customer awareness programs to avoid compliance risks;