Client Alert

FFIEC Issues Updated Guidance on Authentication and Access to Financial Institution Services and Systems

17 Aug 2021

On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC) issued new guidance, titled “Authentication and Access to Financial Institution Services and Systems” (“Guidance”), which provides examples of effective authentication and access risk management principles and practices for financial institutions. The principles and practices relate to access to digital banking services and information systems by customers (consumer and business), employees, third parties, apps, and devices.

The Guidance from the FFIEC, whose members include representatives from the federal banking agencies and the CFPB, replaces two earlier FFIEC guidance documents: (1) Authentication in an Internet Banking Environment, issued in 2005, and (2) Supplement to Authentication in an Internet Banking Environment, issued in 2011. Both the 2005 and 2011 guidance provided risk management practices for financial institutions offering internet-based products and services. The updated Guidance comes at a time of heightened regulatory scrutiny regarding cybersecurity and the potential impact on the country’s financial sector.[1] The Guidance acknowledges the emerging cybersecurity threat landscape, which reinforces the need for financial institutions to effectively authenticate customers, as well as the expansion of authentication considerations beyond customers to include employees, third parties, and system-to-system communications.

Among other things, the Guidance:

  • Highlights the cybersecurity threat environment, including remote access by customers and users, attacks that leverage compromised credentials, and risks from push payment capabilities;
  • Recognizes the importance of a financial institution’s risk assessment to determine appropriate user access and authentication practices;
  • Supports financial institution adoption of layered security; and
  • Addresses how multi-factor authentication or similar controls can mitigate risks more effectively than single-factor authentication.

An Appendix to the Guidance provides examples of practices or controls related to access management and authentication, as well as a list of resources to assist financial institutions with authentication and access management.

Particularly noteworthy, the FFIEC indicates that the Guidance is neither an endorsement nor a “comprehensive framework” for any specific information security identity and access program. In addition, according to the FFIEC, the Guidance is intended to apply not only to financial institutions, but also to any third party acting on behalf of a financial institution that provides the accessed information systems and authentication controls. These FFIEC positions are not surprising in light of (1) the myriad of information security standards in use in the market and (2) financial institutions’ use of, and partnership with, third parties (e.g., data aggregators) to provide authentication and access services. Fintechs working with financial institutions should expect a push down of enhanced authentication and access requirements.

[1] The Guidance also comes at a time of increased scrutiny on authentication practices from the federal banking agencies. For example, the Federal Reserve recently started a series of research briefs on authentication fraud, with a particular focus on the payments landscape.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.