Back to Blog

FFIEC Authentication Guidance: Are You Meeting the Expectation?

By Zach Duke

October 10, 2024

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

The FFIEC has updated their expectations for access management with the Authentication and Access to Financial Institution Services and Systems Guidance.   This guidance expands beyond traditional customer authentication and places a significant emphasis on employees, third parties, APIs, and system-to-system communications. Below is a breakdown of what institutions need to know and implement to stay compliant and safeguard their systems.

Key Areas of Focus in the Guidance

  1. Comprehensive Risk Assessment:
    • Requirement: Institutions must perform a risk assessment to identify all users, systems, and digital banking services that require authentication controls.
    • Key Action: Review your risk assessment process, particularly for new technology risk management when implementing new services such as APIs, digital banking tools, or system integrations.
  2. Expanding Authentication Beyond Customers:
    • Requirement: Institutions must expand authentication practices to include not just customers but also employees, third parties, service accounts, and devices accessing banking systems.
    • Key Action: Ensure all user types, including those with privileged access (e.g., system administrators and vendors), are properly identified and authenticated using enhanced controls like multi-factor authentication (MFA).
  3. Multi-Factor Authentication (MFA):
    • Requirement: Single-factor authentication is no longer sufficient, especially for high-risk systems, users, and sensitive transactions.
    • Key Action: Implement MFA or controls of equivalent strength for high-risk users, systems, and transactions. MFA is defined by utilizing more than one factor, such as something you know (password), something you have (a device), or something you are (biometrics).
  4. Layered Security:
    • Requirement: Institutions must adopt layered security strategies to mitigate risks.
    • Key Action: Review the controls you have in place, especially related to  MFA, network segmentation, system monitoring, and user access reviews based on the principle of least privilege.
  5. Access Management and User Access Reviews:
    • Requirement: Institutions must have a robust system for managing and reviewing user access across all systems, ensuring that users have appropriate access rights for their job roles.
    • Key Action: Regularly conduct user access reviews and implement least privilege access provisioning to mitigate risks of unauthorized access or privilege escalation. This involves tracking access rights, logging changes, and ensuring terminated employee access is promptly revoked.
  6. Ongoing Monitoring and Reporting:
    • Requirement: Financial institutions must have continuous monitoring, logging, and reporting processes to track and respond to any unauthorized access attempts.
    • Key Action: Implement systems that track anomalous behavior and alert management in real time. Regular audit logs and security reviews are essential to maintaining a secure environment.
  7. User and Customer Education:
    • Requirement: Educating employees, board members, and customers about the risks and controls related to authentication is crucial.
    • Key Action: Develop an awareness program that trains users to recognize phishing attempts, social engineering attacks, and other cybersecurity threats.

Items to Validate for Compliance

To ensure your institution remains compliant and ahead of the authentication guidance, here are key access management and reporting practices that should be implemented:

  • MFA Tracking:  Create reporting and processes to document what systems and users have MFA enabled.   Track the availability of MFA for all systems and plan for rapid deployment when MFA becomes available.
  • Privileged Access Reporting: Gain full control and visibility into privileged access rights, ensuring only authorized users have access to sensitive systems and permissions. This helps identify high-risk users and limits exposure to critical systems and functions (IE General Ledger, Wire Approvals, Dormant, Insider Access, etc).
  • Change Reporting: Implement a reporting system that tracks and logs any changes made to user access between reviews. This helps quickly identify any unauthorized or unexpected changes and ensures ongoing security.
  • Access Review Workflows: Set up automated workflows and notifications to streamline user access reviews. This will ensure that reviews are timely, thorough, and compliant with regulatory expectations.
  • Audit Trail & Historical Archives: Maintain a complete audit trail and historical record of user access reviews. This is critical for audit purposes, making it easier to demonstrate compliance and investigate past actions.
  • System Access Views: Establish a centralized view of user access across all systems. This makes it easier to manage and review access rights, ensuring that the principle of least privilege is applied consistently across the institution.
  • Reminders & Scheduling: Automate the scheduling of reviews and reminders for ongoing access management tasks to ensure no user access reviews are overlooked.

By implementing these actions, your institution can effectively meet the FFIEC’s guidelines on authentication and access management.

The Threat Landscape: Why These Measures Matter

Since the onset of remote work and digital transformation, financial institutions have seen an increase in the number of access points into their systems. Devices like smartphones, tablets, and other personal devices create new vulnerabilities, and cyberattacks like phishing, malware, and man-in-the-middle attacks have only become more sophisticated.

Failing to implement these security measures could lead to data breaches, account takeovers, and financial fraud. The authentication guidance emphasizes the importance of proactively managing these risks through MFA, access management, and layered security.

Take Action

If your institution hasn’t yet aligned with the FFIEC’s new guidance, now is the time. Ensuring compliance and enhancing your authentication and access management processes are critical steps to safeguarding your systems. 

Watch our video summary to get a full breakdown of these requirements and how your institution can stay ahead:

Need help with Managing Access?

Download our Managing Access to Banking Systems ebook

Get eBook

More from Finosec

Introducing Fin-Atics: A Thankful Launch of Our Customer Referral Campaign

Introducing Fin-Atics: A Thankful Launch of Our Customer Referral Campaign

During Thanksgiving, it’s the perfect time to reflect on gratitude—both personally and professionally. At Finosec, our commitment is grounded in one key principle: the customer is the reason why we’re in business. This belief has been instilled in me since childhood, thanks to the lessons of my father, who not only shaped my views on business but also inspired me to carry these values into my leadership today.

Mastering Access Management: Best Practices for Effective User Access Reviews

Mastering Access Management: Best Practices for Effective User Access Reviews

Access management is a critical component of cybersecurity and compliance, especially for financial institutions where security expectations are paramount. The challenges surrounding permissions management, particularly during user access reviews, are increasing due to regulatory expectations and the complexity of banking applications. In this blog post, we’ll explore the regulatory expectations, common exam findings, and best practices that can help your organization manage user access effectively while adhering to the principle of least privilege – limiting user access to only the resources necessary to perform their job functions.

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

The Critical Foundation of Managing Access to Banking Systems

The Critical Foundation of Managing Access to Banking Systems

Managing access to banking systems has become increasingly complex as financial institutions navigate legacy reporting systems, API access, and cloud solutions. These challenges, along with the risks posed by unmanaged systems, emphasize the need for maintaining a...

Talk To An Expert Now
Talk To An Expert Now 770.268.2765