5 parts of latest FFIEC guidance on authentication & access to digital banking systems
Last week, the Federal Financial Institutions Examination Council (FFIEC) issued updated guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees and third parties accessing digital banking services and information systems.
The five parts of the guidance include:
— Highlights the current cybersecurity threat environment including increased remote access by customers and users and attacks that leverage compromised credentials; and mentions the risks arising from push payment capabilities.
— Recognizes the importance of the financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
— Supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
— Discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
— Includes examples of authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management.
Officials indicated the new guidance replaces previous documents issued in 2005 and 2011.
The FFIEC was established in March 1979 to prescribe uniform principles, standards and report forms and to promote uniformity in the supervision of financial institutions. It also conducts schools for examiners employed by the five federal member agencies represented on the FFIEC and makes those schools available to employees of state agencies that supervise financial institutions.
The council consists of six voting members from the Federal Reserve System, the Federal Deposit Insurance Corp., the Consumer Financial Protection Bureau, the Comptroller of the Currency the National Credit Union Administration, and the chairman of the State Liaison Committee.
The new guidance can be downloaded via this website.