New Guidance from the FFIEC on Access to Systems
The Federal Financial Institutions Examination Council (FFIEC) has issued new guidance on authentication and access to financial institution services and systems. This guidance addresses considerations for customer access to financial institution services as well as access to internal systems by employees of those institutions and third parties.
This guidance addresses:
- Conducting a risk assessment for access and authentication to digital banking and information systems.
- Identifying all users and customers for which authentication and access controls are needed, and identifying those users and customers who may warrant enhanced authentication controls, such as MFA.
- Periodically evaluating the effectiveness of user and customer authentication controls.
- Implementing layered security to protect against unauthorized access.
- Monitoring, logging, and reporting of activities to identify and track unauthorized access.
- Identifying risks from, and implementing mitigating controls for, email systems, Internet access, customer call centers, and internal IT help desks.
- Identifying risks from, and implementing mitigating controls for, a customer-permissioned entity’s access to a financial institution’s information systems.
- Maintaining awareness and education programs on authentication risks for users and customers.
- Verifying the identity of users and customers.
August 12th, 2021