Aug 172021

FFIEC Guidance on Authentication and Access to Financial Institution Services and Systems

David E. Teitelbaum, Joel D. Feinberg, Michael D. Lewis and Thomas G. Ward
, , , ,

On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC)1 issued guidance establishing risk management principles and practices to support the authentication of users accessing a financial institution’s information systems and customers accessing a financial institution’s digital banking services (the Guidance). The Guidance is not intended to serve as a comprehensive framework but rather provides financial institutions with examples of effective risk management practices without endorsing any specific information security framework or standard.

The Guidance replaces prior FFIEC-issued guidance on risk management practices for financial institutions offering internet-based products: “Authentication in an Internet Banking Environment” (2005) and the “Supplement to Authentication in an Internet Banking Environment” (2011). The 2005 guidance replaced a 2001 version of the same document. Thus, the Guidance is the fourth iteration of the FFIEC’s views on measures to address authentication and access risk, and it reinforces the need for financial institutions to implement adequate risk management approaches to protect information systems, accounts, and data in light of the burgeoning cybersecurity risks and the evolution of technology. Additionally, the Guidance extends the scope of the FFIEC’s considerations on authentication beyond customers to include employees, third parties, and system-to-system communications.

The Guidance concludes that single-factor authentication no longer provides adequate protection against evolving and increasingly sophisticated methods of attack if used alone or even when used in combination with layered security for customers in “high-risk transactions” and for “high-risk users.” The Guidance does not define these terms. It indicates that elements that a financial institution should consider in identifying high-risk transactions include “the dollar amount and volume of transactions, the sensitivity and amount of information accessed, the irrevocability of the transaction, and the likelihood and impact of fraud,” and elements that a financial institution should consider when identifying high-risk users include “access to critical systems and data; privileged users, including security administrators; remote access to information systems; and key positions such as senior management.” The Guidance explains that when single-factor authentication with layered security is inadequate, multifactor authentication or controls of equivalent strength as part of layered security can more effectively mitigate risks.

The Guidance stresses the importance of a financial institution’s performing a risk assessment, both before implementing a new financial service and periodically, as a useful tool for identifying threats and to determine when authentication controls are deemed ineffective. In this regard, the Guidance highlights in particular the expectation that an updated risk assessment and risk management program be adopted in connection with the implementation of a “faster payments” service. The Guidance identifies the following examples of effective risk assessment practices:

  • inventory of information systems
  • inventory of digital banking services and customers
  • identification of customers engaged in high-risk transactions
  • identification of users (including employees, service accounts, and third parties accessing the institution’s system and data)
  • identification of high-risk users
  • identification of threats with reasonable probability of affecting the institution’s systems, data, and accounts, including a review of actual or attempted incidents
  • control assessment (initially and periodically, including the analysis of more advanced security options available)

The appendix to the Guidance provides examples of controls and practices to manage the specific risk associated with each one of these activities. The Guidance also emphasizes the importance of monitoring, activity logging, and reporting processes in (i) assisting a financial institution’s management, (ii) determining unauthorized access to information systems, and (iii) facilitating timely response and the investigation of unauthorized or unusual activity. The appendix provides several examples of good monitoring, logging, and reporting practices.

The FFIEC notes that the practices and controls identified in the Guidance’s body and appendix are provided as a reference and do not represent an all-inclusive list of practices or controls or a comprehensive information security program. The application of the risk management principles and practices may vary at financial institutions based on their respective operational and technological complexity, risk assessments, and risk appetites and tolerances.

1 The Federal Financial Institutions Examination Council is a U.S. government interagency body, composed of representatives from the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the State Liaison Committee.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

David E. Teitelbaum

Washington, D.C.

dteitelbaum@sidley.com

Joel D. Feinberg

Washington, D.C.

jfeinberg@sidley.com

Michael D. Lewis

Washington, D.C.

michael.lewis@sidley.com

Thomas G. Ward

Washington, D.C.

tgward@sidley.com

You might also like
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.

Cybersecurity Takeaways From White House Tech Report

On Feb. 26, the White House’s Office of the National Cyber Director (ONCD), released a report on how technology manufacturers and software developers can improve the cybersecurity posture of the U.S. This report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” aligns with the Biden administration’s current, intense focus on combatting ever-increasing cyberthreats through software development and software manufacturer accountability. In this article, published by Law360 on March 26, Sidley lawyers Alan Charles Raul, Stephen McInerney and Vishnu Tirumala discuss the ONCD report and provide key take-aways for software developers and manufacturers, their senior management, and boards.