FFIEC Releases Guidance on Authentication, Access Risk Management for Digital Banking

The Federal Financial Institutions Examination Council today issued a guidance for financial institutions on effective authentication and access risk management principles for digital banking services. The guidance does not impose any new regulatory requirements on banks, nor does it serve as a comprehensive framework for access management programs or endorse any specific information security framework or standard. FFIEC also noted that the guidance “is relevant whether the financial institution or a third party, on behalf of the financial institution, provides the accessed information systems and authentication controls.

The guidance highlights current cybersecurity threats, including increased remote access by customers and attacks that take advantage of compromised credentials. It also includes information on the risks from push payment capabilities, examples of authentication controls and a list of government and industry resources to assist financial institutions with authentication and access management.

The new guidance also highlights weaknesses in single-factor authentication and discusses how multi-factor authentication can effectively mitigate risks. The guidance replaces FFIEC-issued resources on digital banking released in 2005 and 2011.