On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC)1 issued guidance establishing risk management principles and practices to support the authentication of users accessing a financial institution’s information systems and customers accessing a financial institution’s digital banking services (the Guidance). The Guidance is not intended to serve as a comprehensive framework but rather provides financial institutions with examples of effective risk management practices without endorsing any specific information security framework or standard.
The Guidance replaces prior FFIEC-issued guidance on risk management practices for financial institutions offering internet-based products: “Authentication in an Internet Banking Environment” (2005) and the “Supplement to Authentication in an Internet Banking Environment” (2011). The 2005 guidance replaced a 2001 version of the same document. Thus, the Guidance is the fourth iteration of the FFIEC’s views on measures to address authentication and access risk, and it reinforces the need for financial institutions to implement adequate risk management approaches to protect information systems, accounts, and data in light of the burgeoning cybersecurity risks and the evolution of technology. Additionally, the Guidance extends the scope of the FFIEC’s considerations on authentication beyond customers to include employees, third parties, and system-to-system communications.
The Guidance concludes that single-factor authentication no longer provides adequate protection against evolving and increasingly sophisticated methods of attack if used alone or even when used in combination with layered security for customers in “high-risk transactions” and for “high-risk users.” The Guidance does not define these terms. It indicates that elements that a financial institution should consider in identifying high-risk transactions include “the dollar amount and volume of transactions, the sensitivity and amount of information accessed, the irrevocability of the transaction, and the likelihood and impact of fraud,” and elements that a financial institution should consider when identifying high-risk users include “access to critical systems and data; privileged users, including security administrators; remote access to information systems; and key positions such as senior management.” The Guidance explains that when single-factor authentication with layered security is inadequate, multifactor authentication or controls of equivalent strength as part of layered security can more effectively mitigate risks.
The Guidance stresses the importance of a financial institution’s performing a risk assessment, both before implementing a new financial service and periodically, as a useful tool for identifying threats and to determine when authentication controls are deemed ineffective. In this regard, the Guidance highlights in particular the expectation that an updated risk assessment and risk management program be adopted in connection with the implementation of a “faster payments” service. The Guidance identifies the following examples of effective risk assessment practices:
- inventory of information systems
- inventory of digital banking services and customers
- identification of customers engaged in high-risk transactions
- identification of users (including employees, service accounts, and third parties accessing the institution’s system and data)
- identification of high-risk users
- identification of threats with reasonable probability of affecting the institution’s systems, data, and accounts, including a review of actual or attempted incidents
- control assessment (initially and periodically, including the analysis of more advanced security options available)
The appendix to the Guidance provides examples of controls and practices to manage the specific risk associated with each one of these activities. The Guidance also emphasizes the importance of monitoring, activity logging, and reporting processes in (i) assisting a financial institution’s management, (ii) determining unauthorized access to information systems, and (iii) facilitating timely response and the investigation of unauthorized or unusual activity. The appendix provides several examples of good monitoring, logging, and reporting practices.
The FFIEC notes that the practices and controls identified in the Guidance’s body and appendix are provided as a reference and do not represent an all-inclusive list of practices or controls or a comprehensive information security program. The application of the risk management principles and practices may vary at financial institutions based on their respective operational and technological complexity, risk assessments, and risk appetites and tolerances.
1 The Federal Financial Institutions Examination Council is a U.S. government interagency body, composed of representatives from the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the State Liaison Committee.