The Federal Financial Institutions Examination Council (FFIEC) Authentication Guidance update in August 2021 has marked a significant step towards enhancing authentication and security access measures within financial institutions. This update expanded upon previous handbooks from 2005 and 2011, emphasizing a broader scope that now includes employees, third-party vendors, and system-to-system communications via APIs.
Over two years after this regulatory guidance, the expectation for compliance has been underscored by recent examiner focus and formal regulatory actions, making it imperative for institutions to align their practices with the guidance. Further illuminating the focus was a notable consent order issued by the Federal Deposit Insurance Corporation (FDIC) and the Texas Department of Banking in October 2023. This order offers a practical view into the expectations set forth by regulatory bodies, emphasizing the importance of strict compliance and the implementation of robust security measures.
Highlights from the Consent Order: A Blueprint for Your Next Exam
The consent order provides detailed directives that align closely with the FFIEC Authentication Guidance, focusing on key areas such as: identity access management; monitoring and logging; independent verification; inventory management; and specific software access reporting. These directives serve as a blueprint for financial institutions aiming to meet regulatory expectations and secure their operations effectively. Understanding the key points of the order and what they bring into focus for examiners can help your team better prepare for your next exam.
Identity Access Management
Summary
The order mandates a comprehensive user access review be performed across all bank systems with a more thorough focus on higher-risk systems, including those that can perform financial transactions and those that have access to customer information. Reviews should be performed by personnel independent of the original task being reviewed.
How you can prepare
Emphasize the development of policies for user access administration, identification of all system users, and perform regular access reviews to ensure adherence to the principle of least privilege.
Monitoring and Logging
Summary
Financial institutions are required to adopt a plan for automated logging and monitoring of all bank system activities.
How you can prepare
Establish formal policies for network logging, change log analysis, and the reporting of system disruptions and backup issues.
Independent Verification
Summary
The order calls for an independent review of all external connections to third parties to ensure that only authorized access and connections are allowed and monitored.
How you can prepare
Establish formal policies to grant and review third party system access. Review reporting on key third-party access, including system and service accounts, remote access, and API’s. To make a quick impact, start by focusing on privileged access and change management.
Inventory Management
Summary
A comprehensive inventory of systems and technology assets is mandated.
How you can prepare
Document asset descriptions, purposes, locations, logins, and end-of-life status.
Specialty Software Administration
Summary
The order specifies the need for a revised project plan to address weaknesses in corporate bond accounting software, including the development of automated reports to monitor data and manage user access controls. Additionally, it mandates training focused on corporate trust administration for relevant personnel. While this is a specific banking system, it highlights that the regulators are moving above and beyond Core Processing, Wire Transfer, and Active Directory to include all systems that employees and third parties have access to.
How you can prepare
Expand user access reviews to all banking systems. To streamline this process, start with an authentication risk assessment that highlights the frequency of user access reviews by banking system.
Incorporating Regulatory Insights into FFIEC Compliance Strategies
The consent order underscores the critical nature of the areas highlighted by the FFIEC Authentication Guidance and provides a concrete example of what regulatory bodies are focusing on during examinations. Financial institutions must consider these insights when developing their cybersecurity and compliance strategies.
This includes:
- Ensuring a thorough and up-to-date risk assessment process that covers all users and systems.
- Implementing multi-factor authentication (MFA) as a foundational security measure.
- Developing a comprehensive system inventory map or inventory of information systems and digital banking services.
- Regularly reviewing and documenting user access for both employees and third parties to enforce the principle of least privilege.
The recent consent order, in conjunction with the FFIEC Authentication Guidance, offers financial institutions a clear roadmap for enhancing their cybersecurity frameworks and compliance postures. By focusing on the key areas outlined in the consent order, institutions can better prepare for regulatory examinations and protect themselves against the increasing threats in the digital landscape.
The challenge for many institutions is that performing user access reviews is a manual and labor-intensive process. By leveraging Finosec’s User Access Reporting solution financial institutions can increase the efficiency and effectiveness of their access reviews and meet regulatory expectations.
For additional resources regarding what auditors expect you to implement around authentication, check out this blog or quickly get up to speed on the most recent AIO booklet that expands guidance on architecture, infrastructure and operations with our short video.
Reference Materials:
- FFIEC Authentication Guidance – https://www.fdic.gov/news/financial-institution-letters/2021/fil21055a.pdf
- Youtube Video on Authentication Guidance – https://youtu.be/iWWQ4c03TDw?feature=shared
- TX Department of Banking Formal Action – https://orders.fdic.gov/sfc/servlet.shepherd/document/download/069t000000UyTWBAA3?operationContext=S1
