Featured Product

    FFIEC Issues Guidance on Authentication and Access Risk Management

    August 11, 2021

    The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems. The guidance sets forth risk management principles and practices that can support a financial institution’s authentication of users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices and consumer and business customers authorized to access digital banking services. The application of these principles and practices may vary at financial institutions based on their respective operational and technological complexity, risk assessments, and risk appetites and tolerances.

    The guidance replaces the FFIEC members’ 2005 guidance titled “Authentication in an Internet Banking Environment” and 2011 guidance titled “Supplement to Authentication in an Internet Banking Environment.” Also rescinded are the OCC Bulletin 2005-35 titled “Authentication in an Internet Banking Environment: Interagency Guidance” and the OCC Bulletin 2011-26 titled “Authentication in an Internet Banking Environment: Supplement,” which conveyed the 2005 and 2011 guidance, respectively. The guidance:

    • highlights the current cybersecurity threat environment, including increased remote access by customers and users and attacks that leverage compromised credentials, and mentions the risks arising from push payment capabilities.
    • recognizes the importance of a financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
    • supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
    • discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
    • includes examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management.

    The Appendix to the guidance presents examples of authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management. The cybersecurity threat landscape continues to present significant risks to financial institutions, reinforcing the need for financial institutions to effectively authenticate and control access for users and customers to protect information systems, accounts, and data.

     

    Related Links

    Keywords: Americas, US, Banking, Authentication, Community Banks, Cyber Risk, Operational Risk, Internal Controls, Technology Risk, Third-Party Risk, Digital Banks, Regtech, OCC, FFIEC

    Related Articles
    News

    APRA Issues Interim Update to Policy Priorities for 2021 and Beyond

    In a letter addressed to the industry, the Australian Prudential Regulation Authority (APRA) set out an updated schedule of policy priorities for the banking, insurance, and superannuation industries.

    September 24, 2021 WebPage Regulatory News
    News

    EC Adopts Solvency II and Resolution Rules Package for Insurers

    The European Commission (EC) adopted a comprehensive review package of Solvency II rules in the European Union.

    September 22, 2021 WebPage Regulatory News
    News

    OCC Issues Booklets on Regulatory Reporting and Earnings

    The Office of the Comptroller of the Currency (OCC) issued Versions 1.0 of the "Earnings" and "Regulatory Reporting" booklets of the Comptroller's Handbook.

    September 22, 2021 WebPage Regulatory News
    News

    ECB Sets Out Results of Economy-Wide Climate Stress Tests

    The European Central Bank (ECB) published results of its economy-wide climate stress test, which aimed to assess the resilience of non-financial corporates and euro area banks to climate risks.

    September 22, 2021 WebPage Regulatory News
    News

    EBA Examines Implications of Increasing Use of Digital Platforms in EU

    The European Banking Authority (EBA) published a report on the use of digital platforms in the banking and payments sector in European Union.

    September 21, 2021 WebPage Regulatory News
    News

    HKMA Issues Updates on Policy Measures Intended to Ease COVID Impact

    The Hong Kong Monetary Authority (HKMA) published updates on the policy measures that were announced in context of the ongoing pandemic.

    September 21, 2021 WebPage Regulatory News
    News

    ISDA Responds to BCBS Proposal on Treatment of Cryptoasset Exposures

    The International Swaps and Derivatives Association (ISDA), along with several other associations, submitted a joint response to the Basel Committee on Banking Supervision (BCBS) consultation on preliminary proposals for the prudential treatment of cryptoasset exposures.

    September 21, 2021 WebPage Regulatory News
    News

    BIS Quarterly Review Discusses Developments in Fintech and ESG Space

    BIS published the September issue of the Quarterly Review, which contains special features that analyze the rapid rise in equity funding for financial technology firms, the effectiveness of policy measures in response to pandemic, and the evolution of international banking.

    September 20, 2021 WebPage Regulatory News
    News

    BCBS to Consult on Supervisory Practices for Climate Risks by Year-End

    The Basel Committee for Banking Supervision (BCBS) met in September 2021 and reviewed climate-related financial risks, discussed impact of digitalization, and welcomed efforts by the International Financial Reporting Standards (IFRS) Foundation to develop a common set of sustainability reporting standards

    September 20, 2021 WebPage Regulatory News
    News

    OCC Identifies Operational Risk Deficiencies in MUFG Union Bank

    The Office of the Comptroller of the Currency (OCC) issued a Cease and Desist Order against MUFG Union Bank for deficiencies in technology and operational risk governance.

    September 20, 2021 WebPage Regulatory News
    RESULTS 1 - 10 OF 7494