The Federal Financial Institutions Examination Council (FFIEC) has issued new guidance on authentication and access titled, “Authentication and Access to Financial Institution Services and Systems” (Guidance.)  The Guidance is intended to provide financial institutions with examples of effective risk management principles and practices for access and authentication.

The Guidance contains risk management principles and practices that can support a financial institution’s authentication of (1) users accessing the financial institution’s information systems, including employees, board members, third parties, service accounts, application, and devices (collectively, users) and (2) business and consumer customers (collectively, customers) authorized to access digital banking services.  The Guidance, which replaces previously issued 2005 and 2011 FFIEC guidance, is not intended to serve as a comprehensive framework for identity and access management programs and does not endorse any specific security framework or standard.  However, the Guidance is applicable not only to financial institutions, but also applies to any third party service provider acting on a financial institution’s behalf.

The Guidance begins with a discussion of the “threat landscape” faced by financial institutions.  It observes that the evolution of new technologies and broadly-used access points has expanded the system entry or access points through which an attacker can compromise a financial institution.  It also observes that certain authentication controls that were previously effective no longer provide a sufficient defense against evolving and increasingly sophisticated methods of attack.

The other topics addressed by the Guidance are:

  • Risk assessment to determine appropriate authentication techniques and access management practices, including examples of effective risk assessment practices
  • Layered security controls
  • Multi-factor authentication as part of layered security
  • Monitoring, activity logging, and reporting processes and controls
  • Email systems and internet browsers
  • Call center and IT help desk authentication
  • Data aggregators and other customer-permissioned entities providing services to customers
  • User and customer awareness and education

The Guidance includes an Appendix that lists examples of practices or controls related to access management, authentication, and supporting controls.