On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC), the multi-agency authority responsible for issuing uniform principles and standards for supervision of financial institutions, published new guidance on "Authentication and Access to Financial Institution Services and Systems" (the Guidance). This Guidance is intended to address the current cybersecurity threat environment and replaces previous FFIEC guidance published in 2005 and 2011. Areas addressed include risk management practices relating to oversight of identification, authentication, and access solutions for customers, employees, and third parties that access digital banking services and financial institution information systems. Below are key elements of the Guidance, and a list of action steps financial institutions can implement to ensure the effectiveness of their authentication programs in light of this new Guidance.
Key highlights of the Guidance include:
- Conducting risk assessments for access and authentication to digital banking and information systems;
- Identification of all users and customers for which access and authentication controls are required, including those who may warrant enhanced authentication controls, such as multi-factor authentication;
- Periodic evaluation of access and authentication controls;
- Implementation of layered security to prevent unauthorized access;
- Monitoring, logging, and reporting of activities to identify and trace unauthorized access;
- Identification of risks from email systems, Internet access, customer call centers, and internal IT help desks, and implementing mitigating controls to address such risks;
- Identification of risks from customer-permissioned entities accessing information systems, and implementing mitigating controls regarding same;
- Maintaining awareness of and education on authentication risks for users and customers;
- Verification of the identity of users and customers.
Financial institutions considering updating their practices in light of this new Guidance may consider the following steps:
- Reviewing existing risk management policies and procedures to ensure proper inventories of devices, systems, software, digital banking services, users, and customers. Customers involved in high-risk financial transactions and users involved in high-risk activities may be assessed for additional or enhanced authentication controls.
- Identifying threats with reasonable probability of impacting systems, data, or user/customer accounts, as well as reviewing actual or attempted incidents of security breaches, identity theft, or fraud.
- Assessing adoption and implementation of layered security measures, such as multi-factor authentication, user time-out, network segmentation, monitoring, and transaction amount limits.
- Reviewing monitoring, logging, and reporting processes and controls.
- With regard to email systems and internet use, assessing implementation of secure configurations, multi-factor authentication, remote access controls, education and training of users, and software patches; reviewing implementation of software vendor and service provider controls for outsourced services; blocking browser pop-ups and redirects; and limiting running of scripting languages.
- Ensuring training of customer call center staff and IT help desk representatives to avoid social engineering techniques in resetting passwords or providing any other credentials.
- Updating customer awareness programs to guard against the latest phishing, social engineering, or other fraudulent activity, including confirmation of legitimacy of communications issued by the financial institution.
- Reviewing customer identity verification measures and considering implementation of methods focused on detecting fraudulent activities, such as impersonation, and avoiding dependence on knowledge-based questions to verify identity.
Potential Legal Issues
When considering the above measures, financial institutions should also consult with legal counsel to assess the potential legal implications associated with implementing changes to access and authentication procedures. Some of these issues may include:
- Directing an updated risk assessment, with third party vendors, of the impact of new measures on the financial institution's risk profile;
- Updating the financial institution's information security plan and/or incident response plan as required, including revising and updating table-top simulations and other plan testing measures;
- Notifying relevant insurance carriers as necessary;
- Reviewing third-party or vendor contracts to assess the impact of the adoption of new measures on performance, notification, or other contractual obligations;
- Documenting and retaining records related to training, customer awareness, and other risk-communication materials;
- Communicating with customers regarding new authentication requirements; and
- Ensuring consistency of description of security risks to customers in customer awareness programs to avoid compliance risks;
If you have any questions regarding these potential legal issues, adoption of measures to comply with the Guidance, or any other aspect of your cybersecurity and data protection program, please contact the authors Aldo M. Leiva, Matthew G. White, CIPP/US, CIPP/E, CIPM, PCIP or Alexander F. Koskey, CIPP/US, CIPP/E, PCIP, or any member of Baker Donelson's Data Protection, Privacy, and Cybersecurity Team.