Featured Product

    FFIEC Issues Guidance on Authentication and Access Risk Management

    August 11, 2021

    The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems. The guidance sets forth risk management principles and practices that can support a financial institution’s authentication of users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices and consumer and business customers authorized to access digital banking services. The application of these principles and practices may vary at financial institutions based on their respective operational and technological complexity, risk assessments, and risk appetites and tolerances.

    The guidance replaces the FFIEC members’ 2005 guidance titled “Authentication in an Internet Banking Environment” and 2011 guidance titled “Supplement to Authentication in an Internet Banking Environment.” Also rescinded are the OCC Bulletin 2005-35 titled “Authentication in an Internet Banking Environment: Interagency Guidance” and the OCC Bulletin 2011-26 titled “Authentication in an Internet Banking Environment: Supplement,” which conveyed the 2005 and 2011 guidance, respectively. The guidance:

    • highlights the current cybersecurity threat environment, including increased remote access by customers and users and attacks that leverage compromised credentials, and mentions the risks arising from push payment capabilities.
    • recognizes the importance of a financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
    • supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
    • discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
    • includes examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management.

    The Appendix to the guidance presents examples of authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management. The cybersecurity threat landscape continues to present significant risks to financial institutions, reinforcing the need for financial institutions to effectively authenticate and control access for users and customers to protect information systems, accounts, and data.

     

    Related Links

    Keywords: Americas, US, Banking, Authentication, Community Banks, Cyber Risk, Operational Risk, Internal Controls, Technology Risk, Third-Party Risk, Digital Banks, Regtech, OCC, FFIEC

    Related Articles
    News

    EBA Publishes Final Regulatory Standards on STS Securitizations

    The European Banking Authority (EBA) published the final draft regulatory technical standards specifying and, where relevant, calibrating the minimum performance-related triggers for simple.

    September 20, 2022 WebPage Regulatory News
    News

    ECB Further Reviews Costs and Benefits Associated with IReF

    The European Central Bank (ECB) is undertaking the integrated reporting framework (IReF) project to integrate statistical requirements for banks into a standardized reporting framework that would be applicable across the euro area and adopted by authorities in other EU member states.

    September 15, 2022 WebPage Regulatory News
    News

    EBA Publishes Funding Plans Report, Receives EMAS Certification

    The European Banking Authority (EBA) has been awarded the top European Standard for its environmental performance under the European Eco-Management and Audit Scheme (EMAS).

    September 15, 2022 WebPage Regulatory News
    News

    MAS Launches SaaS Solution to Simplify Listed Entity ESG Disclosures

    The Monetary Authority of Singapore (MAS) set out the Financial Services Industry Transformation Map 2025 and, in collaboration with the SGX Group, launched ESGenome.

    September 15, 2022 WebPage Regulatory News
    News

    BCBS to Finalize Crypto Rules by End-2022; US to Propose Basel 3 Rules

    The Basel Committee on Banking Supervision met, shortly after a gathering of the Group of Central Bank Governors and Heads of Supervision (GHOS), the oversight body of BCBS.

    September 15, 2022 WebPage Regulatory News
    News

    IOSCO Welcomes Work on Sustainability-Related Corporate Reporting

    The International Organization of Securities Commissions (IOSCO) welcomed the work of the international audit and assurance standard setters—the International Auditing and Assurance Standards Board (IAASB)

    September 15, 2022 WebPage Regulatory News
    News

    BoE Allows One-Day Delay in Statistical Data Submissions by Banks

    The Bank of England (BoE) published a Statistical Notice (2022/18), which informs that due to the Bank Holiday granted for Her Majesty Queen Elizabeth II’s State Funeral on Monday September 19, 2022.

    September 14, 2022 WebPage Regulatory News
    News

    ACPR Amends Reporting Module Timelines Under EBA Framework 3.2

    The French Prudential Control and Resolution Authority (ACPR) announced that the European Banking Authority (EBA) has updated its filing rules and the implementation dates for certain modules of the EBA reporting framework 3.2.

    September 14, 2022 WebPage Regulatory News
    News

    ECB Paper Discusses Disclosure of Climate Risks by Credit Agencies

    The European Central Bank (ECB) published a paper that examines how credit rating agencies accepted by the Eurosystem, as part of the Eurosystem Credit Assessment Framework (ECAF)

    September 13, 2022 WebPage Regulatory News
    News

    APRA to Modernize Prudential Architecture, Reduces Liquidity Facility

    The Australian Prudential Regulation Authority (APRA) announced reduction in the aggregate Committed Liquidity Facility (CLF) for authorized deposit-taking entities to ~USD 33 billion on September 01, 2022.

    September 12, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 8514