The Federal Financial Institutions Examination Council ("FFIEC") updated guidance for financial institutions on effective authentication and access risk management standards and practices.
Among other things, the guidance:
- underscores the risks associated with new services, such as push-payment capabilities;
- highlights cybersecurity threats, including attacks that weaponize compromised credentials;
- emphasizes the importance of a financial institution's risk assessment for determining appropriate access and authentication practices on the institution's systems and services;
- encourages adoption of multi-faceted security systems and stresses the weaknesses in single-factor authentication; and
- provides examples of adequate authentication controls and lists government and industry resources and references that can aid institutions with authentication and access management.
The new guidance replaces related guidance previously issued by the FFIEC in 2005 and 2011.
Commentary by Steven Lofchie
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.