Summary:
The Federal Financial Institutions Examination Council (FFIEC) issued new guidance titled Authentication and Access to Financial Institution Services and Systems. The guidance provides financial institutions with examples of effective authentication and access risk management principles and practices. These principles and practices are for digital banking services and information systems.
The guidance is available on the FDIC’s website.
Statement of Applicability: This Financial Institution Letter (FIL) applies to all FDIC-supervised institutions.
Highlights:
The new Guidance addresses:
- A financial institution’s risk assessment, which is critical for determining appropriate access and authentication practices.
- Authentication practices for a wide range of users including customers, employees, third parties, and service accounts accessing financial institution systems and services.
- How multi-factor authentication, or controls of equivalent strength, can be used to effectively mitigate risks of unauthorized access.
The guidance replaces the FFIEC-issued Authentication in an Internet Banking Environment (2005), and the Supplement to Authentication in an Internet Banking Environment (2011).
Distribution:
FDIC-Supervised Institutions
Suggested Routing:
Chief Executive Officer
Chief Information Officer
Chief Information Security Officer
Chief Risk Officer