ANALYSIS: The Federal Financial Institutions Examination Council (FFIEC) on behalf of the NCUA and federal banking regulators, has issued guidance to provide financial institutions with examples of effective risk management principles and practices for access and authentication. These principles and practices address business and consumer customers, employees, and third parties that access digital banking services and financial institution information systems.
Authentication and Access to Financial Institution Services and Systems Guidance (2021) replaces two previous FFIEC documents:
- Authentication in an Internet Banking Environment (2005) and
- Supplement to Authentication in an Internet Banking Environment (2011).
ii Release No. 0171 – Authentication in Internet Banking – is updated and retitled as ii Release No. 0171 – FFIEC’s Authentication and Access to Financial Institution Services and Systems Guidance to incorporate the new guidance.
The new Guidance acknowledges significant risks associated with the cybersecurity threat landscape that reinforce the need for financial institutions to effectively authenticate users and customers to protect information systems, accounts, and data. The Guidance also recognizes that authentication considerations have extended beyond customers and include employees, third parties, and system-to-system communications.
The Guidance highlights risk management practices that support oversight of identification, authentication, and access solutions as part of an institution’s information security program. Periodic risk assessments inform financial institution management’s decisions about authentication solutions and other controls that are deployed to mitigate identified risks. When a risk assessment indicates that single-factor authentication with layered security is inadequate, multi-factor authentication (MFA) or controls of equivalent strength, combined with other layered security controls, can more effectively mitigate risks associated with authentication.
Financial institutions are subject to various safety and soundness standards, such as the standard to have internal controls and information systems that are appropriate to the institution’s size and complexity and the nature, scope, and risk of its activities. Applying the principles and practices in the Guidance, as appropriate to a financial institution’s risk profile, can support alignment with such safety and soundness standards.
An effective authentication program also can support alignment with the Interagency Guidelines Establishing Information Security Standards and with other laws and regulations. For example, a financial institution’s authentication program can support compliance with consumer financial protection laws, and with laws that address Customer Identification Program (CIP) and Customer Due Diligence (CDD) requirements, identity theft prevention, and the enforceability of electronic agreements. The Guidance does not interpret or establish a compliance standard for these laws or impose any new regulatory requirements on financial institutions.
The Guidance is not intended to serve as a comprehensive framework for identity and access management programs and does not endorse any specific information security framework or standard. The Guidance is relevant whether the financial institution or a third party, on behalf of the financial institution, provides the accessed information systems and authentication controls.
The new Guidance acknowledges significant risks associated with the cybersecurity threat landscape that reinforce the need for financial institutions to effectively authenticate users and customers to protect information systems, accounts, and data. The Guidance also recognizes that authentication considerations have extended beyond customers and include employees, third parties, and system-to-system communications.
The Guidance highlights risk management practices that support oversight of identification, authentication, and access solutions as part of an institution’s information security program. Periodic risk assessments inform financial institution management’s decisions about authentication solutions and other controls that are deployed to mitigate identified risks. When a risk assessment indicates that single-factor authentication with layered security is inadequate, multi-factor authentication (MFA) or controls of equivalent strength, combined with other layered security controls, can more effectively mitigate risks associated with authentication.
Financial institutions are subject to various safety and soundness standards, such as the standard to have internal controls and information systems that are appropriate to the institution’s size and complexity and the nature, scope, and risk of its activities. Applying the principles and practices in the Guidance, as appropriate to a financial institution’s risk profile, can support alignment with such safety and soundness standards.
An effective authentication program also can support alignment with the Interagency Guidelines Establishing Information Security Standards and with other laws and regulations. For example, a financial institution’s authentication program can support compliance with consumer financial protection laws, and with laws that address Customer Identification Program (CIP) and Customer Due Diligence (CDD) requirements, identity theft prevention, and the enforceability of electronic agreements. The Guidance does not interpret or establish a compliance standard for these laws or impose any new regulatory requirements on financial institutions.
The Guidance is not intended to serve as a comprehensive framework for identity and access management programs and does not endorse any specific information security framework or standard. The Guidance is relevant whether the financial institution or a third party, on behalf of the financial institution, provides the accessed information systems and authentication controls.
The Guidance sets forth risk management principles and practices that can support a financial institution’s authentication of
- users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices (collectively, users) and
- consumer and business customers (collectively, customers) authorized to access digital banking services.
Specific topics addressed in the Guidance include:
- Conducting a risk assessment for access and authentication to digital banking and information systems.
- Identifying all users and customers for which authentication and access controls are needed, and identifying those users and customers who may warrant enhanced authentication controls, such as MFA.
- Periodically evaluating the effectiveness of user and customer authentication controls.
- Implementing layered security to protect against unauthorized access.
- Monitoring, logging, and reporting of activities to identify and track unauthorized access.
- Identifying risks from, and implementing mitigating controls for, email systems, Internet access, customer call centers, and internal IT help desks.
- Identifying risks from, and implementing mitigating controls for, a customer-permissioned entity’s access to a financial institution’s information systems.
- Maintaining awareness and education programs on authentication risks for users and customers.
- Verifying the identity of users and customers.