Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

FFIEC gives authentication and access guidance to financial institutions

Agency Rule-Making & Guidance FFIEC Risk Management Fintech Privacy/Cyber Risk & Data Security

Agency Rule-Making & Guidance

On August 11, the Federal Financial Institutions Examinations Council (FFIEC) published guidance, on behalf of its members, to provide financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and financial institution information systems. Among other things, the guidance: (i) acknowledges significant risks associated with the cybersecurity threat landscape, which reinforces the need for financial institutions to effectively authenticate users and for customers to protect information systems, accounts, and data; (ii) provides examples of effective risk assessment practices, such as inventory of information systems and inventory of digital banking services and customers; and (iii) indicates that single-factor authentication with layered security is inadequate, therefore, multi-factor authentication or controls of equivalent strength with layered security may be more effective.

The guidance replaces the FFIEC-issued Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011).