Back to Blog

Integrating FFIEC Authentication Guidance: A Blueprint for Your Next Exam With Insights from Recent Regulatory Actions

By Zach Duke

April 11, 2024

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

The Federal Financial Institutions Examination Council (FFIEC) Authentication Guidance update in August 2021 has marked a significant step towards enhancing authentication and security access measures within financial institutions. This update expanded upon previous handbooks from 2005 and 2011, emphasizing a broader scope that now includes employees, third-party vendors, and system-to-system communications via APIs.

Over two years after this regulatory guidance, the expectation for compliance has been underscored by recent examiner focus and formal regulatory actions, making it imperative for institutions to align their practices with the guidance. Further illuminating the focus was a notable consent order issued by the Federal Deposit Insurance Corporation (FDIC) and the Texas Department of Banking in October 2023. This order offers a practical view into the expectations set forth by regulatory bodies, emphasizing the importance of strict compliance and the implementation of robust security measures.

Highlights from the Consent Order: A Blueprint for Your Next Exam

The consent order provides detailed directives that align closely with the FFIEC Authentication Guidance, focusing on key areas such as: identity access management; monitoring and logging; independent verification; inventory management; and specific software access reporting. These directives serve as a blueprint for financial institutions aiming to meet regulatory expectations and secure their operations effectively. Understanding the key points of the order and what they bring into focus for examiners can help your team better prepare for your next exam.

Identity Access Management

Summary

The order mandates a comprehensive user access review be performed across all bank systems with a more thorough focus on higher-risk systems, including those that can perform financial transactions and those that have access to customer information. Reviews should be performed by personnel independent of the original task being reviewed.

How you can prepare

Emphasize the development of policies for user access administration, identification of all system users, and perform regular access reviews to ensure adherence to the principle of least privilege.


Monitoring and Logging

Summary

Financial institutions are required to adopt a plan for automated logging and monitoring of all bank system activities.

How you can prepare

Establish formal policies for network logging, change log analysis, and the reporting of system disruptions and backup issues.


Independent Verification

Summary

The order calls for an independent review of all external connections to third parties to ensure that only authorized access and connections are allowed and monitored.

How you can prepare

Establish formal policies to grant and review third party system access.   Review reporting on key third-party access, including system and service accounts, remote access, and API’s.  To make a quick impact, start by focusing on privileged access and change management.


Inventory Management

Summary

A comprehensive inventory of systems and technology assets is mandated.

How you can prepare

Document asset descriptions, purposes, locations, logins, and end-of-life status.


Specialty Software Administration

Summary

The order specifies the need for a revised project plan to address weaknesses in corporate bond accounting software, including the development of automated reports to monitor data and manage user access controls. Additionally, it mandates training focused on corporate trust administration for relevant personnel. While this is a specific banking system, it highlights that the regulators are moving above and beyond Core Processing, Wire Transfer, and Active Directory to include all systems that employees and third parties have access to.

How you can prepare

Expand user access reviews to all banking systems.  To streamline this process, start with an authentication risk assessment that highlights the frequency of user access reviews by banking system.


Incorporating Regulatory Insights into FFIEC Compliance Strategies

The consent order underscores the critical nature of the areas highlighted by the FFIEC Authentication Guidance and provides a concrete example of what regulatory bodies are focusing on during examinations. Financial institutions must consider these insights when developing their cybersecurity and compliance strategies as well and ensure that they’re complying with any timelines set forth in their own examinations for updating policies and procedures.

This includes:

  • Ensuring a thorough and up-to-date risk assessment process that covers all users and systems.
  • Implementing multi-factor authentication (MFA) as a foundational security measure.
  • Developing a comprehensive system inventory map or inventory of information systems and digital banking services.
  • Regularly reviewing and documenting user access for both employees and third parties to enforce the principle of least privilege.

The recent consent order, in conjunction with the FFIEC Authentication Guidance, offers financial institutions a clear roadmap for enhancing their cybersecurity frameworks and compliance postures. By focusing on the key areas outlined in the consent order, institutions can better prepare for regulatory examinations and protect themselves against the increasing threats in the digital landscape.

The challenge for many institutions is that performing user access reviews is a manual and labor-intensive process.  By leveraging Finosec’s User Access Reporting solution financial institutions can increase the efficiency and effectiveness of their access reviews and meet regulatory expectations.

For additional resources regarding what auditors expect you to implement around authentication, check out this blog or quickly get up to speed on the most recent AIO booklet that expands guidance on architecture, infrastructure and operations with our short video.

Reference Materials:

More from Finosec

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

The Critical Foundation of Managing Access to Banking Systems

The Critical Foundation of Managing Access to Banking Systems

Managing access to banking systems has become increasingly complex as financial institutions navigate legacy reporting systems, API access, and cloud solutions. These challenges, along with the risks posed by unmanaged systems, emphasize the need for maintaining a...

Talk To An Expert Now
Talk To An Expert Now 770.268.2765