FFIEC Issues Guidance on Authentication & Access to Financial Institutions Services and Systems

The Federal Financial Institutions Examination Council recently issued guidance on effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems.

The guidance, which replaces previous documents from 2005 and 2011, touches on the following topics:

  • The current cybersecurity threat environment, including increased remote access by customers and users and attacks that leverage compromised credentials, and mentions the risks arising from push payment capabilities.
  • The importance of the financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
  • A financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
  • How multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
  • Some examples of authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management. The examples include:
    • Authentication solutions;
    • Password controls;
    • Access to transaction controls;
    • Customer controls;
    • Transaction logging and monitoring controls;
    • System access controls for users;
    • Privileged user controls;
    • System and network design and architecture controls;
    • Email systems controls; and
    • Internet browser controls.

Question of the Week

Q. Can a business account have a designated beneficiary?

A. It is generally not a good idea to allow a beneficiary on a business account since businesses technically do not die. What happens to the funds in a business account after the death of an individual should be addressed elsewhere in the business documents and/or in a will.

Compliance Alerts

National Credit Union Administration

Register Now for NCUA’s Modernized Examination Tools Webinar on Sept. 8: The NCUA will host a webinar on Sept. 8 (11 a.m. PDT) which will focus on the NCUA’s new modern examination platforms and discuss the benefits of the systems for credit unions and examiners.

Consumer Financial Protection Bureau

Mortgage Refinance Loans Drove an Increase in Closed-end Originations in 2020: The CFPB released a report on which shows the total number of closed-end mortgage originations, as well as applications, increased substantially between 2019 and 2020.  The primary driver of the increase was mortgage refinancing.

CFPB Issues Technical Specifications for Credit Card Agreement and Data Submissions Required under TILA and the Card Act: The CFPB issued new technical specifications for complying with credit card agreement and data submission requirements under TILA and the CARD Act (Regulation Z). Credit card issuers will use the Bureau’s Collect website to submit its TCCP survey data to the Bureau for the Feb. 14, 2022 submission deadline. You can view the technical specifications here.

Office of Foreign Assets Control

OFAC has updated the SDN list as of August 19. The last update prior to this was July 22.

Posted in Compliance, Compliance News, Compliance Question.