The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems. The guidance sets forth risk management principles and practices that can support a financial institution’s authentication of users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices and consumer and business customers authorized to access digital banking services. The application of these principles and practices may vary at financial institutions based on their respective operational and technological complexity, risk assessments, and risk appetites and tolerances.
The guidance replaces the FFIEC members’ 2005 guidance titled “Authentication in an Internet Banking Environment” and 2011 guidance titled “Supplement to Authentication in an Internet Banking Environment.” Also rescinded are the OCC Bulletin 2005-35 titled “Authentication in an Internet Banking Environment: Interagency Guidance” and the OCC Bulletin 2011-26 titled “Authentication in an Internet Banking Environment: Supplement,” which conveyed the 2005 and 2011 guidance, respectively. The guidance:
- highlights the current cybersecurity threat environment, including increased remote access by customers and users and attacks that leverage compromised credentials, and mentions the risks arising from push payment capabilities.
- recognizes the importance of a financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
- supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
- discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
- includes examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management.
The Appendix to the guidance presents examples of authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management. The cybersecurity threat landscape continues to present significant risks to financial institutions, reinforcing the need for financial institutions to effectively authenticate and control access for users and customers to protect information systems, accounts, and data.
Keywords: Americas, US, Banking, Authentication, Community Banks, Cyber Risk, Operational Risk, Internal Controls, Technology Risk, Third-Party Risk, Digital Banks, Regtech, OCC, FFIEC
Previous ArticleEIOPA Follows Up on Peer Review of Key Supervisory Functions
Next ArticleACPR Issued Update on Reporting Via OneGate Portal
In a letter addressed to the industry, the Australian Prudential Regulation Authority (APRA) set out an updated schedule of policy priorities for the banking, insurance, and superannuation industries.
The European Commission (EC) adopted a comprehensive review package of Solvency II rules in the European Union.
The Office of the Comptroller of the Currency (OCC) issued Versions 1.0 of the "Earnings" and "Regulatory Reporting" booklets of the Comptroller's Handbook.
The European Central Bank (ECB) published results of its economy-wide climate stress test, which aimed to assess the resilience of non-financial corporates and euro area banks to climate risks.
The European Banking Authority (EBA) published a report on the use of digital platforms in the banking and payments sector in European Union.
The Hong Kong Monetary Authority (HKMA) published updates on the policy measures that were announced in context of the ongoing pandemic.
The International Swaps and Derivatives Association (ISDA), along with several other associations, submitted a joint response to the Basel Committee on Banking Supervision (BCBS) consultation on preliminary proposals for the prudential treatment of cryptoasset exposures.
BIS published the September issue of the Quarterly Review, which contains special features that analyze the rapid rise in equity funding for financial technology firms, the effectiveness of policy measures in response to pandemic, and the evolution of international banking.
The Basel Committee for Banking Supervision (BCBS) met in September 2021 and reviewed climate-related financial risks, discussed impact of digitalization, and welcomed efforts by the International Financial Reporting Standards (IFRS) Foundation to develop a common set of sustainability reporting standards
The Office of the Comptroller of the Currency (OCC) issued a Cease and Desist Order against MUFG Union Bank for deficiencies in technology and operational risk governance.