Skip to main content

New FFIEC Guidance for Access and Authentication

In response to an expanded cybersecurity threat landscape, the FFIEC just issued an update to agency expectations for access and authentication to financial institution products and systems. This update replaces both the 2005 and the 2011 authentication guidance, and has been extended beyond digital banking (ebanking) customers to include everyone and everything that might have access, such as employees, third parties, and system-to-system communications. Perhaps in recognition of the highly outsourced and interconnected nature of these services, the guidance makes it clear that the guidance is applicable “…whether the financial institution or a third party, on behalf of the financial institution, provides the accessed information systems and authentication controls.” (Emphasis added.)

The new guidance recognizes that the potential access points by which an attacker might compromise an institution have greatly increased due to new technologies and remote access capabilities and because of this, existing authentication methods (like single-factor authentication) may no longer be sufficient. They also cite recent data breaches at financial institutions as well as their service providers, such as credit bureaus. They strongly suggest that multi-factor authentication (MFA) in combination with other layered controls like least-privilege user access can be more effective at mitigating risks.

As with everything else, this should be supported by a risk assessment, both prior to implementation of the service and/or authorization of access, and periodically thereafter. The assessment should include inputs enterprise-wide and from a range of business functions, and include the following elements:

  • The sources of risk, such as:
    • An inventory of all information systems and components
    • All digital products and customers, as well as all high-risk customers1
    • All users accessing the system, including employees, service accounts, and third-parties
    • All high-risk users2
  • The reasonably foreseeable threats to the risk sources
  • The practices and controls employed to address the threats

Fully half of the guidance consists of an appendix with examples of practices and controls in the following areas:

  • Authentication Solutions
  • Password Controls
  • Access and Transaction Controls
  • Customer Call Centers and IT Help Desks Controls
  • Customer Controls
  • Transaction Logging and Monitoring Controls
  • System Access Controls for Users
  • Privileged User Controls
  • System and Network Design and Architecture Controls
  • Email Systems Controls
  • Internet Browser Controls

We expect that regulators will be scrutinizing your access and authentication practices, and our advice is (based on the results of your risk assessment) to use this appendix as a checklist of controls you either have already implemented, or plan to implement.

1 High risk customers are those that initiate high dollar amount and high volume of transactions, where the sensitivity and amount of information accessed is higher, the irrevocability of the transaction, and the likelihood and impact of fraud.
2 High risk users are those with access to critical systems and data; privileged users, including security administrators; remote access to information systems; and key positions such as senior management.