Back to Blog

What Auditors and Examiners Expect You to Have Implemented For the Updated FFIEC Authentication Guidance

By Zach Duke

September 14, 2023

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

The Federal Financial Institutions Examination Council (FFIEC) updated its Authentication Guidance in August 2021, which aims to standardize and enhance security measures for financial institutions. We are seeing a focus on these areas during exams and audits, and understanding these new guidelines is crucial for compliance and risk management.

What’s New

Originally, FFIEC authentication handbooks from 2005 and 2011 primarily focused on customers and two-factor authentication. The updated guidance considerably expands its scope to include employees, third-party vendors, and system-to-system communications via APIs.

Risk Assessment

One of the key points made in the guidance is the importance of conducting a comprehensive risk assessment. Financial institutions must now identify all users, not just customers, in their risk assessment. A stale or outdated risk assessment can result in insufficient controls. The guidance encourages an enterprise-wide approach to risk assessment, including inventories of information systems and digital banking services.

Multi-factor Authentication

The update brings attention to the modern threat landscape, which has been influenced by the pandemic and a shift to remote work. In light of this, multi-factor authentication (MFA) emerges as a consistently recommended risk-mitigating control for all types of users, including high-risk users.

The Threat Landscape

The new guidelines also focus on devices and third parties accessing information. With an increase in connectivity to cloud services and an array of third-party providers like managed service providers, the need for robust security measures has never been greater.

Key Takeaways on Effective Risk Assessment

  • Inventory of Information Systems: Often, organizations lack a comprehensive system map or inventory. This is vital for effective risk management.
  • User Identification: The guidance insists on knowing which employees have access to different systems. Service accounts, which often have elevated privileges, pose significant risks and must be documented.
  • High User Risk Identification: Whether it’s network admins or those with specific roles in banking applications, identifying high-risk users is essential.
  • Role Based Access: The concept of ‘least privilege’—where users have the minimum levels of access, or permissions, they need to perform their job functions—is emphasized as foundational.
  • User Review Reporting: Validating access, permissions, and the review processes are vital for risk management and compliance.


The FFIEC Authentication Guidance is comprehensive and aligns with the complexities of today’s digital landscape. From risk assessments to multi-factor authentication, the guidelines offer a roadmap for financial institutions to secure their environments effectively.

Understanding and implementing the new FFIEC Authentication Guidance can be complex, especially with legacy banking applications. To get a deeper insight into these updates and how they could impact your financial institution, watch our full video summary. For customized solutions and professional assistance in navigating FFIEC compliance, learn how Finosec can help you. If you found this blog post useful, please like, comment, and share to help us spread the word.

More from Finosec

Why You Need to Know Every System for Every Employee

Why You Need to Know Every System for Every Employee

Are you confident that your bank has clear and thorough visibility to every employee’s physical and digital access to systems? If you’re like most banks we work with, the answer to this question is “no”. There are many challenges that make tracking employee access...

The Hidden Risks of Shadow IT: Why Community Banks Need a Detailed System Inventory

The Hidden Risks of Shadow IT: Why Community Banks Need a Detailed System Inventory

In the world of community banking, the landscape of information security and cyber risk management has dramatically evolved. Gone are the days when all servers were in-house, and every application installation involved the IT department. Today, it’s easier than ever for a Compliance Officer to sign off on a new software tool to manage Reg DD challenges or for a Loan Officer to adopt a cloud solution to improve customer acceptance rates.

My Epiphany of AI During a Session With My Therapist

My Epiphany of AI During a Session With My Therapist

For over a year now, every Tuesday, the Finosec team has been holding a meeting to discuss how we are leveraging AI personally, at work, and in our platform. These weekly meetings have consistently focused on sharing the impact of AI for each of us personally and the...

Talk To An Expert Now
Talk To An Expert Now 770.268.2765