FFIEC issues cyber security guidance to financial institutions

The impact to authentication and access

Tom Nash

Tom Nash

Director, Cyber Security Services, KPMG US

+1 347-443-5833

Bradley Choy

Bradley Choy

Associate Advisory, Cyber Security Services, KPMG US

+1 212-909-5301

FFIEC issues guidance on authentication and access to financial institution services and systems

On August 11, 2021, the Federal Financial Institutions Examination Council (“FFIEC”) issued new guidance on Authentication and Access to Financial Institution Services and Systems1. This new guidance replaces previous guidance issued in 2005 and 2011 as in recent years, high profile financial institutions have fallen victim to sophisticated cyber-attacks as a result of poor access and authentication controls. The implementation of the FFIEC guidance can not only help financial institutions achieve FFIEC compliance, but can also help financial institutions evolve their cyber security capabilities into a leading class organization. The FFIEC framework aims to help financial institutions mitigate risk by providing effective risk management principles and leading practices for access and authentication.

Due to increases in data transfer sophistication, employees do not need to come into a traditional office to access company assets. Companies allow employees to approach company assets through a wide array of SaaS applications, IaaS applications, remote devices, IoT devices, and much more regardless of location. This causes the threat environment to expand as high value data transfers are not occurring within data centers. As a result of the increased threat environment, the attack vector has widened resulting in bad actors gaining access to more entry points the can potentially damage an organization. Attackers often leverage compromised credentials as a result of weak access management and authentication controls to cause damage to an organization by acting as the compromised account and leveraging the compromised credentials to access what the compromised account can access.

Layered security is essential in protecting data for financial institutions since layered security incorporates multiple controls that compensate for the weakness of a single control. The adoption of layered security underscores the weaknesses in single-factor authentication. By using single-factor authentication, attackers can easily compromise accounts via phishing attacks, credential stuffing, spear-phishing attacks and more. Once an attacker gains access, the data breach can expose information and credentials of customers and employees. In order to mitigate the weaknesses in single factor authentication, financial institutions should look to adopt layered security. By combining a password with something you know (pin), something you have (phone), or something you are (biometrics), it makes it much more difficult for an unauthorized attacker to access a target.

In order to assist financial institutions in determining if access has been compromised, monitoring, logging, and reporting of actives should be developed in order to facilitate the response and investigation of unauthorized actives. Logging can promote accountability, and can give financial institutions visibility of all employee’s accesses, give institutions timely responses to unauthorized access, and lets organizations view accounts that may have potentially too much access which may cause a potential breach in security. 

The ability for a financial institution to identify the range of users accessing systems and services is determined by the financial institutions’ ability to identify appropriate access and authentication controls. By performing risk assessments, organizations can identify risks, threats, vulnerabilities, and controls associated with access and authentication, and determine where there are gaps in access controls and authentication. Some risk assessment examples of industry leadingpractices to identify access and authentication controls include (but are not limited to): Inventory of Information Systems, Inventory of Digital Banking Services and Customers, Identify Customers Engaged in High-Risk Transactions, Identify Users, High-Risk User Identification, Threat Identification, and a Controls Assessment. By incorporating these assessments into ongoing cyber risk management programs, organizations can appropriately view their access and authentication landscape, and identify certain authentication and access controls that are ineffective or degraded.

In order to mitigate unauthorized access, KPMG recommends that organizations move to a zero-trust framework as per industry leading standards. A zero-trust framework is an industry leading practice where organizations assume that no device (internal or external) that attempts to access an internal system is trusted. The framework assumes that each request comes from a malicious source, and in order to gain access to a resource, an entity must be fully vetted and authenticated. By implementing a zero-trust framework, the number of opportunities for a hacker to gain access to secure content is greatly reduced. The FFIEC recommends that access and transaction controls be implemented in order to improve access controls. These controls include (but are not limited to): Account Maintenance Controls, Transaction Value, Frequency, and Timing Controls, Rate Limit on Log-in Attempts, Incorrect Log-in Attempts, and Application Timeouts. In order to determine that individuals are correctly authenticated before accessing systems, solutions such as Device-Based Public Key Infrastructure (PKI) Authentication, One Time Passwords (OTP). Behavioral Biometrics Software, and Device Identification and Enrollment can be used to increase authentication controls.


  1. Federal Financial Institutions Examination Council, Authentication and Access to Financial Institution Services and Systems, August 2021