The Federal Financial Institutions Examination Council (FFIEC) issued new guidance titled Authentication and Access to Financial Institution Services and Systems in FIL-55-2021 dated August 11, 2021. The guidance provides financial institutions with examples of effective authentication and access risk management principles and practices. These principles and practices are for digital banking services and information systems.
The new Guidance addresses:
- A financial institution’s risk assessment, which is critical for determining appropriate access and authentication practices.
- Authentication practices for a wide range of users including customers, employees, third parties, and service accounts accessing financial institution systems and services.
- How multi-factor authentication, or controls of equivalent strength, can be used to effectively mitigate risks of unauthorized access.
Topics of this Guidance include:
- Conducting a risk assessment for access and authentication to digital banking and information systems.
- Identifying all users and customers for which authentication and access controls are needed, and identifying those users and customers who may warrant enhanced authentication controls, such as MFA.
- Periodically evaluating the effectiveness of user and customer authentication controls.
- Implementing layered security to protect against unauthorized access.
- Monitoring, logging, and reporting of activities to identify and track unauthorized access.
- Identifying risks from, and implementing mitigating controls for, email systems, Internet access, customer call centers, and internal IT help desks.
- Identifying risks from, and implementing mitigating controls for, a customer-permissioned entity’s access to a financial institution’s information systems.
- Maintaining awareness and education programs on authentication risks for users and customers.
- Verifying the identity of users and customers.
The Guidance is a must-read for Financial Institution management.