Featured Product

    FFIEC Issues Guidance on Authentication and Access Risk Management

    August 11, 2021

    The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems. The guidance sets forth risk management principles and practices that can support a financial institution’s authentication of users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices and consumer and business customers authorized to access digital banking services. The application of these principles and practices may vary at financial institutions based on their respective operational and technological complexity, risk assessments, and risk appetites and tolerances.

    The guidance replaces the FFIEC members’ 2005 guidance titled “Authentication in an Internet Banking Environment” and 2011 guidance titled “Supplement to Authentication in an Internet Banking Environment.” Also rescinded are the OCC Bulletin 2005-35 titled “Authentication in an Internet Banking Environment: Interagency Guidance” and the OCC Bulletin 2011-26 titled “Authentication in an Internet Banking Environment: Supplement,” which conveyed the 2005 and 2011 guidance, respectively. The guidance:

    • highlights the current cybersecurity threat environment, including increased remote access by customers and users and attacks that leverage compromised credentials, and mentions the risks arising from push payment capabilities.
    • recognizes the importance of a financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
    • supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
    • discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
    • includes examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management.

    The Appendix to the guidance presents examples of authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management. The cybersecurity threat landscape continues to present significant risks to financial institutions, reinforcing the need for financial institutions to effectively authenticate and control access for users and customers to protect information systems, accounts, and data.

     

    Related Links

    Keywords: Americas, US, Banking, Authentication, Community Banks, Cyber Risk, Operational Risk, Internal Controls, Technology Risk, Third-Party Risk, Digital Banks, Regtech, OCC, FFIEC

    Related Articles
    News

    EBA Proposes Standards for IRRBB Reporting Under Basel Framework

    The European Banking Authority (EBA) proposed implementing technical standards on the interest rate risk in the banking book (IRRBB) reporting requirements, with the comment period ending on May 02, 2023.

    January 31, 2023 WebPage Regulatory News
    News

    FED Issues Further Details on Pilot Climate Scenario Analysis Exercise

    The U.S. Federal Reserve Board (FED) set out details of the pilot climate scenario analysis exercise to be conducted among the six largest U.S. bank holding companies.

    January 17, 2023 WebPage Regulatory News
    News

    US Agencies Issue Several Regulatory and Reporting Updates

    The Board of Governors of the Federal Reserve System (FED) adopted the final rule on Adjustable Interest Rate (LIBOR) Act.

    January 04, 2023 WebPage Regulatory News
    News

    ECB Issues Multiple Reports and Regulatory Updates for Banks

    The European Central Bank (ECB) published an updated list of supervised entities, a report on the supervision of less significant institutions (LSIs), a statement on macro-prudential policy.

    January 01, 2023 WebPage Regulatory News
    News

    HKMA Keeps List of D-SIBs Unchanged, Makes Other Announcements

    The Hong Kong Monetary Authority (HKMA) published a circular on the prudential treatment of crypto-asset exposures, an update on the status of transition to new interest rate benchmarks.

    December 30, 2022 WebPage Regulatory News
    News

    EU Issues FAQs on Taxonomy Regulation, Rules Under CRD, FICOD and SFDR

    The European Commission (EC) adopted the standards addressing supervisory reporting of risk concentrations and intra-group transactions, benchmarking of internal approaches, and authorization of credit institutions.

    December 29, 2022 WebPage Regulatory News
    News

    CBIRC Revises Measures on Corporate Governance Supervision

    The China Banking and Insurance Regulatory Commission (CBIRC) issued rules to manage the risk of off-balance sheet business of commercial banks and rules on corporate governance of financial institutions.

    December 29, 2022 WebPage Regulatory News
    News

    HKMA Publications Address Sustainability Issues in Financial Sector

    The Hong Kong Monetary Authority (HKMA) made announcements to address sustainability issues in the financial sector.

    December 23, 2022 WebPage Regulatory News
    News

    EBA Updates Address Basel and NPL Requirements for Banks

    The European Banking Authority (EBA) published regulatory standards on identification of a group of connected clients (GCC) as well as updated the lists of identified financial conglomerates.

    December 22, 2022 WebPage Regulatory News
    News

    ESMA Publishes 2022 ESEF XBRL Taxonomy and Conformance Suite

    The General Board of the European Systemic Risk Board (ESRB), at its December meeting, issued an updated risk assessment via the quarterly risk dashboard and held discussions on key policy priorities to address the systemic risks in the European Union.

    December 22, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 8699