Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

FFIEC issues updated guidance on authentication and access

By Kim Phan on August 12, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

The Federal Financial Institutions Examination Council (FFIEC) has issued new guidance on authentication and access titled, “Authentication and Access to Financial Institution Services and Systems” (Guidance.)  The Guidance is intended to provide financial institutions with examples of effective risk management principles and practices for access and authentication.

The Guidance contains risk management principles and practices that can support a financial institution’s authentication of (1) users accessing the financial institution’s information systems, including employees, board members, third parties, service accounts, application, and devices (collectively, users) and (2) business and consumer customers (collectively, customers) authorized to access digital banking services.  The Guidance, which replaces previously issued 2005 and 2011 FFIEC guidance, is not intended to serve as a comprehensive framework for identity and access management programs and does not endorse any specific security framework or standard.  However, the Guidance is applicable not only to financial institutions, but also applies to any third party service provider acting on a financial institution’s behalf.

The Guidance begins with a discussion of the “threat landscape” faced by financial institutions.  It observes that the evolution of new technologies and broadly-used access points has expanded the system entry or access points through which an attacker can compromise a financial institution.  It also observes that certain authentication controls that were previously effective no longer provide a sufficient defense against evolving and increasingly sophisticated methods of attack.

The other topics addressed by the Guidance are:

  • Risk assessment to determine appropriate authentication techniques and access management practices, including examples of effective risk assessment practices
  • Layered security controls
  • Multi-factor authentication as part of layered security
  • Monitoring, activity logging, and reporting processes and controls
  • Email systems and internet browsers
  • Call center and IT help desk authentication
  • Data aggregators and other customer-permissioned entities providing services to customers
  • User and customer awareness and education

The Guidance includes an Appendix that lists examples of practices or controls related to access management, authentication, and supporting controls.

 

  • Posted in:
    Banking, Finance and Securities
  • Blog:
    Consumer Finance Monitor
  • Organization:
    Ballard Spahr LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo