FFIEC Guidelines on Authentication and Access to Services and Systems of Financial Institutions | Knowledge
The Guide replaces the previous guides published by the FFIEC on risk management practices for financial institutions offering Internet-based products: âAuthentication in an Internet Banking Environmentâ (2005) and the âSupplement to Authentication in an Internet Banking Environmentâ â(2011). The 2005 guidelines replaced a 2001 version of the same document. Thus, the Guide is the fourth iteration of FFIEC’s perspective on measures to address authentication and access risks, and it reinforces the need for financial institutions to implement adequate risk management approaches. to protect information systems, accounts and data in the light of burgeoning cybersecurity. risks and the evolution of technology. Additionally, the Guide expands the scope of FFIEC’s authentication considerations beyond customers to include employees, third parties, and system-to-system communications.
The Guide concludes that single-factor authentication no longer provides adequate protection against evolving and increasingly sophisticated attack methods if used alone or even when used in combination with layered security for clients in “high risk transactions” and for “high risk users”. The Guide does not define these terms. It states that the elements that a financial institution should take into account in identifying high-risk transactions include “the dollar amount and volume of transactions, the sensitivity and amount of information accessed, the finality of the transaction and the likelihood and impact of fraud â, and elements that a financial institution should consider when identifying high-risk users includeâ access to critical systems and data; privileged users, including security administrators; remote access to information systems; and key positions such as senior management. The Guide explains that when single-factor authentication with layered security is inadequate, multi-factor authentication or equivalent strength checks as part of layered security can more effectively mitigate risk.
The Guide emphasizes the importance for a financial institution to perform a risk assessment, both before implementing a new financial service and periodically, as a useful tool to identify threats and determine when to check. authentication are considered ineffective. In this regard, the Guide highlights in particular the expectation that an updated risk assessment and management program will be adopted as part of the implementation of a âfaster paymentsâ service. The Guide identifies the following examples of effective risk assessment practices:
- inventory of information systems
- digital banking and customer inventory
- identification of clients engaged in high-risk transactions
- identification of users (including employees, service accounts and third parties accessing the institution’s system and data)
- identification of high risk users
- identification of threats that have a reasonable probability of affecting the institution’s systems, data and accounts, including a review of actual or attempted incidents
- control assessment (initially and periodically, including analysis of more advanced security options available)
The appendix to the Guide provides examples of controls and practices to manage the specific risk associated with each of these activities. The Guide also emphasizes the importance of monitoring, activity recording and reporting processes to (i) assist the management of a financial institution, (ii) determine unauthorized access to financial institution systems. information and (iii) facilitate a rapid response and investigation of unauthorized or unusual activities. . The appendix provides several examples of good monitoring, logging, and reporting practices.
FFIEC notes that the practices and controls identified in the body and appendix of the Guide are provided for reference and do not represent an exhaustive list of practices or controls or a comprehensive information security program. The application of risk management principles and practices may vary within financial institutions depending on their respective operational and technological complexity, their risk assessments, and their risk appetite and tolerance.
1 The Federal Financial Institutions Examination Council is an interagency body of the United States government, composed of representatives of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Bureau of Financial Protection and the State Liaison Committee.