The banking agencies have called out cyber threats as a key risk to financial institutions, financial stability, and national security. The rapid and widespread shift to digital and mobile banking over the past two years, combined with the demand for near real-time payments and increasing dependence on third parties such as cloud service providers, has significantly magnified this risk and served as an impetus for the FFIEC’s new guidance. Bank and nonbank depository institutions at the federal and state level should review and update their own processes and controls in light of the authentication and access risk management principles and controls outlined in the guidance.
- New FFIEC guidance highlights authentication and access risk management principles, with a focus on digital banking systems and financial institution information systems; it is not intended to provide a comprehensive risk management framework.
- Risk assessments should guide authentication and access practices across users, services, and systems.
- Practices and controls are expected to evolve as cyber threats evolve; controls applied under a layered security approach allow the severity of security measures to increase with identified levels of risk across users, services, or customers.
The members of the Federal Financial Institutions Examination Council (FFIEC) issued updated guidance on effective authentication and access risk management principles and practices. The guidance is directed toward all customers and users with access to digital banking systems and financial institution information systems, including business and retail customers, employees, third parties, and system-to-system communications.
- Acknowledges significant risks associated with the expanded cybersecurity threat landscape, noting that:
- Authentication risks may arise from i) expanded remote access points, ii) the types of devices and third parties accessing information systems, iii) the use of application programming interfaces (APIs), and iv) increasing connectivity to third parties, such as cloud service providers.
- Certain authentication controls, such as single-factor authentication, may no longer provide sufficient defense.
- Highlights risk management practices to be included as part of an information security program. These practices include:
- Conducting a risk assessment of authentication and access to digital banking and information systems, including inventorying systems, components, services, and customers as well as identifying high-risk transactions, high-risk users, and reasonably probable threats.
- Applying a layered security approach where authentication controls, such as multi-factor authentication, are applied commensurate with the increasing risk associated with a transaction or access.
- Monitoring, logging, and reporting of activities to identify and track attempted or realized unauthorized access.
- Identifying risks from, and implementing mitigating controls for, email systems, Internet access, customer call centers, and internal IT help desks.
- Identifying risks from, and implementing mitigating controls for, credential and API-based authentication when customer-permissioned entities’ access a financial institution’s information systems and customer information.
- Maintaining awareness and education (training and testing) programs on authentication risks for users and customers.
- Verifying the identity of users and customers.
A list of practices and controls along with links to additional FFIEC member resources is provided as a reference, with the caveat that the security landscape is continuously evolving, and the effectiveness of the listed practices and controls may change over time. Topics covered include:
- Authentication solutions
- Password controls
- Access and transaction controls
- Customer Call Centers and IT Help Desk controls
- Customer controls
- Transaction logging and monitoring controls
- System access controls for users
- Privileged user controls
- System and network design and architecture controls
- Email systems controls
- Internet browser controls.
The guidance, Authentication, and Access to Financial Institution Services and Systems, is available here.
Note: FFIEC members include the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Consumer Financial Protection Bureau, National Credit Union Administration, and the State Liaison Committee, which represents the Conference of State Bank Supervisors, the American Council of State Savings Supervisors, and the National Association of State Credit Union Supervisors.