The FFIEC has updated their expectations for access management with the Authentication and Access to Financial Institution Services and Systems Guidance. This guidance expands beyond traditional customer authentication and places a significant emphasis on employees, third parties, APIs, and system-to-system communications. Below is a breakdown of what institutions need to know and implement to stay compliant and safeguard their systems.
Key Areas of Focus in the Guidance
- Comprehensive Risk Assessment:
- Requirement: Institutions must perform a risk assessment to identify all users, systems, and digital banking services that require authentication controls.
- Key Action: Review your risk assessment process, particularly for new technology risk management when implementing new services such as APIs, digital banking tools, or system integrations.
- Expanding Authentication Beyond Customers:
- Requirement: Institutions must expand authentication practices to include not just customers but also employees, third parties, service accounts, and devices accessing banking systems.
- Key Action: Ensure all user types, including those with privileged access (e.g., system administrators and vendors), are properly identified and authenticated using enhanced controls like multi-factor authentication (MFA).
- Multi-Factor Authentication (MFA):
- Requirement: Single-factor authentication is no longer sufficient, especially for high-risk systems, users, and sensitive transactions.
- Key Action: Implement MFA or controls of equivalent strength for high-risk users, systems, and transactions. MFA is defined by utilizing more than one factor, such as something you know (password), something you have (a device), or something you are (biometrics).
- Layered Security:
- Requirement: Institutions must adopt layered security strategies to mitigate risks.
- Key Action: Review the controls you have in place, especially related to MFA, network segmentation, system monitoring, and user access reviews based on the principle of least privilege.
- Access Management and User Access Reviews:
- Requirement: Institutions must have a robust system for managing and reviewing user access across all systems, ensuring that users have appropriate access rights for their job roles.
- Key Action: Regularly conduct user access reviews and implement least privilege access provisioning to mitigate risks of unauthorized access or privilege escalation. This involves tracking access rights, logging changes, and ensuring terminated employee access is promptly revoked.
- Ongoing Monitoring and Reporting:
- Requirement: Financial institutions must have continuous monitoring, logging, and reporting processes to track and respond to any unauthorized access attempts.
- Key Action: Implement systems that track anomalous behavior and alert management in real time. Regular audit logs and security reviews are essential to maintaining a secure environment.
- User and Customer Education:
- Requirement: Educating employees, board members, and customers about the risks and controls related to authentication is crucial.
- Key Action: Develop an awareness program that trains users to recognize phishing attempts, social engineering attacks, and other cybersecurity threats.
Items to Validate for Compliance
To ensure your institution remains compliant and ahead of the authentication guidance, here are key access management and reporting practices that should be implemented:
- MFA Tracking: Create reporting and processes to document what systems and users have MFA enabled. Track the availability of MFA for all systems and plan for rapid deployment when MFA becomes available.
- Privileged Access Reporting: Gain full control and visibility into privileged access rights, ensuring only authorized users have access to sensitive systems and permissions. This helps identify high-risk users and limits exposure to critical systems and functions (IE General Ledger, Wire Approvals, Dormant, Insider Access, etc).
- Change Reporting: Implement a reporting system that tracks and logs any changes made to user access between reviews. This helps quickly identify any unauthorized or unexpected changes and ensures ongoing security.
- Access Review Workflows: Set up automated workflows and notifications to streamline user access reviews. This will ensure that reviews are timely, thorough, and compliant with regulatory expectations.
- Audit Trail & Historical Archives: Maintain a complete audit trail and historical record of user access reviews. This is critical for audit purposes, making it easier to demonstrate compliance and investigate past actions.
- System Access Views: Establish a centralized view of user access across all systems. This makes it easier to manage and review access rights, ensuring that the principle of least privilege is applied consistently across the institution.
- Reminders & Scheduling: Automate the scheduling of reviews and reminders for ongoing access management tasks to ensure no user access reviews are overlooked.
By implementing these actions, your institution can effectively meet the FFIEC’s guidelines on authentication and access management.
The Threat Landscape: Why These Measures Matter
Since the onset of remote work and digital transformation, financial institutions have seen an increase in the number of access points into their systems. Devices like smartphones, tablets, and other personal devices create new vulnerabilities, and cyberattacks like phishing, malware, and man-in-the-middle attacks have only become more sophisticated.
Failing to implement these security measures could lead to data breaches, account takeovers, and financial fraud. The authentication guidance emphasizes the importance of proactively managing these risks through MFA, access management, and layered security.
Take Action
If your institution hasn’t yet aligned with the FFIEC’s new guidance, now is the time. Ensuring compliance and enhancing your authentication and access management processes are critical steps to safeguarding your systems.
Watch our video summary to get a full breakdown of these requirements and how your institution can stay ahead:
