The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems. The guidance sets forth risk management principles and practices that can support a financial institution’s authentication of users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices and consumer and business customers authorized to access digital banking services. The application of these principles and practices may vary at financial institutions based on their respective operational and technological complexity, risk assessments, and risk appetites and tolerances.
The guidance replaces the FFIEC members’ 2005 guidance titled “Authentication in an Internet Banking Environment” and 2011 guidance titled “Supplement to Authentication in an Internet Banking Environment.” Also rescinded are the OCC Bulletin 2005-35 titled “Authentication in an Internet Banking Environment: Interagency Guidance” and the OCC Bulletin 2011-26 titled “Authentication in an Internet Banking Environment: Supplement,” which conveyed the 2005 and 2011 guidance, respectively. The guidance:
- highlights the current cybersecurity threat environment, including increased remote access by customers and users and attacks that leverage compromised credentials, and mentions the risks arising from push payment capabilities.
- recognizes the importance of a financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
- supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
- discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
- includes examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management.
The Appendix to the guidance presents examples of authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management. The cybersecurity threat landscape continues to present significant risks to financial institutions, reinforcing the need for financial institutions to effectively authenticate and control access for users and customers to protect information systems, accounts, and data.
Keywords: Americas, US, Banking, Authentication, Community Banks, Cyber Risk, Operational Risk, Internal Controls, Technology Risk, Third-Party Risk, Digital Banks, Regtech, OCC, FFIEC
Previous ArticleIFRS Outlines Work Priorities, Establishes Montreal Center of ISSB
Next ArticleUS Agencies Review Credit Risk at National Level
The European Banking Authority (EBA) proposed implementing technical standards on the interest rate risk in the banking book (IRRBB) reporting requirements, with the comment period ending on May 02, 2023.
The U.S. Federal Reserve Board (FED) set out details of the pilot climate scenario analysis exercise to be conducted among the six largest U.S. bank holding companies.
The Board of Governors of the Federal Reserve System (FED) adopted the final rule on Adjustable Interest Rate (LIBOR) Act.
The European Central Bank (ECB) published an updated list of supervised entities, a report on the supervision of less significant institutions (LSIs), a statement on macro-prudential policy.
The Hong Kong Monetary Authority (HKMA) published a circular on the prudential treatment of crypto-asset exposures, an update on the status of transition to new interest rate benchmarks.
The European Commission (EC) adopted the standards addressing supervisory reporting of risk concentrations and intra-group transactions, benchmarking of internal approaches, and authorization of credit institutions.
The China Banking and Insurance Regulatory Commission (CBIRC) issued rules to manage the risk of off-balance sheet business of commercial banks and rules on corporate governance of financial institutions.
The Hong Kong Monetary Authority (HKMA) made announcements to address sustainability issues in the financial sector.
The European Banking Authority (EBA) published regulatory standards on identification of a group of connected clients (GCC) as well as updated the lists of identified financial conglomerates.
The General Board of the European Systemic Risk Board (ESRB), at its December meeting, issued an updated risk assessment via the quarterly risk dashboard and held discussions on key policy priorities to address the systemic risks in the European Union.