FFIEC Updates Authentication GuidanceStresses Need for MFA, Stronger Access Controls
This story has been updated to include additional commentary.
The Federal Financial Institutions Examination Council has issued updated guidance advising banks to use stronger access controls and multifactor authentication. Some experts say that while not fundamentally groundbreaking, the updated guidance is still "long overdue."
The document replaces FFIEC guidance issued in 2005 and 2011. It does not impose any new regulatory requirements.
The FFIEC, an interagency body comprising five government regulators that creates standards for the federal examination of financial institutions, acknowledges the need for effective authentication to protect information systems, accounts and data as the threat landscape changes. The guidance provides banks with security recommendations for customers, employees and third parties accessing digital services.
The FFIEC reminds banks and customers that weak access controls - such as single-factor authentication - and inadequate risk assessments expose financial data to immense risk.
The guidance also "recognizes that authentication considerations have extended beyond customers, and include employees, third parties and system-to-system communications."
The FFIEC document points to the need for:
- Defined "layered security" practices;
- Comprehensive risk assessments to determine appropriate access;
- Monitoring, logging and reporting activity to identify and track unauthorized access;
- Controls for email systems and internet access.
The FFIEC says the potential attack surface for financial institutions has expanded "with the evolution of new technologies and broadly used remote access points." It cites the proliferation of mobile computing, smart phone applications and "bring your own" devices.
"These technologies and access points provide attackers with more opportunities to obtain unauthorized access, commit fraud and account takeover or exfiltrate data," the guidance states.
Authentication risks arise from expanded remote access to IT systems, other third parties - such as cloud service providers - now accessing systems, and the use of application programming interfaces, the FFIEC says.
"Attackers use technologies, such as automated password cracking tools, and compromised credentials in their attacks against financial institutions," the guidance states. "Older or unsupported information systems may be especially vulnerable to attacks because security patches and upgrades for authentication controls can be more difficult to obtain."
Multifactor authentication, the guidance states, is "an effective practice to secure against financial loss and data compromise caused by various threats." Combining MFA with network segmentation and least privilege user access - in which users are given the minimum level of access - can help mitigate the risks, it says.
A risk assessment must be conducted before implementing new financial services, such as faster payment, the FFIEC notes.
Effective assessment practices include:
- Creating an inventory of information systems, including hardware, operating systems, applications, infrastructure devices, APIs, data and other assets requiring authentication/access controls;
- Identifying customers engaged in high-risk transactions;
- Identifying threats, including malware/ransomware, man-in-the-middle attacks, credential abuses and phishing attacks;
- Assessing controls, including reviewing their design and effectiveness.
The FFIEC emphasizes the importance of "layered" controls, which can compensate for potential weaknesses elsewhere. These include: MFA, user time-out, system hardening, network segmentation, monitoring processes and transaction amount limits.
"Authentication controls with increased strength have been shown to be effective for customers and users engaged in high-risk transactions and activities," the FFIEC says.
Multifactor authentication can mitigate several risks associated with unauthorized access, the guidance points out. Even with increased remote access, MFA user credentials can improve the security of access channels.
Customer awareness programs, the FFIEC states, "can complement the layered security controls implemented to protect customers and can lower access and authentication risks."
These programs, it adds, can help users determine the legitimacy of third-party communications and understand existing controls, account monitoring processes, external threats - such as phishing and mobile-based Trojans - and legal recourse in the event of a breach.
Helpful But Overdue
John Ackerly, former associate director of the National Economic Council at the White House, says the guidance is "long overdue" and particularly crucial with the introduction of third-party access in the cloud era.
Commenting on combating online fraud and protecting the integrity of sensitive data, Ackerly adds: "The good news is that the White House and industry groups are starting to address this - including within President Biden's executive order on cybersecurity" (see: OMB Spells Out Agencies' Cybersecurity Timelines).
Ackerly, co-founder and CEO of the security firm Virtru, says that Secure Access Service Edge, or SASE - a cloud service networking and security strategy aimed at the user or endpoint - is the "way the world is going," and multifactor authentication is one piece of the puzzle in "fine-grained control over who's accessing what."
Kim Phan, privacy and data security partner at the law firm Ballard Spahr, adds: "The new guidance more full recognizes the complexity of the financial services ecosystem. Whereas prior guidance focused on authenticating the identity of customers, the new guidance recognizes that there are many other users of any one financial institution's systems."
Phan says that the inclusion of multifactor authentication in each iteration of the guidance "demonstrates how this continues to be an important tool to mitigate risk, but is also continuously evolving."
'Expect a Push Down'
Similarly, Andrew Baer, chair of the technology, privacy and data security practice at the law firm Cozen O'Connor, says while not particularly "revolutionary," the FFIEC's latest guidance "recognizes that the threat landscape and sources of risk have evolved, and access and identity are more holistic considerations."
Baer says that while many financial institutions have already implemented these overarching security controls, the guidance "hammers home" the need for "strong authentication."
"[It is particularly] helpful for smaller institutions that may lack [robust] legal, compliance and in-house IT teams," adds Baer. "With smaller institutions, [these types of updates often] do not get highlighted unless there is new guidance."
Additionally, while guidance from the U.S. banking regulators may model best practices worldwide, Baer says this update in particular had a lot of ground to cover - since the previous issuance was a decade ago - and thus does not fundamentally alter the view of current practices. That's especially true in areas of the world with strong data security and privacy regimes, including Europe, he says.
Still, Baer says the guidance "closes the door" on the argument that some enterprises can delay the implementation of thorough security controls.
Crystal N. Kaldjob, Jeremy R. Mandell and Rachel Ross, attorneys at the firm Morrison & Foerster, which represents technology and fintech firms, say: "The updated guidance comes at a time of heightened regulatory scrutiny regarding cybersecurity and the potential impact on the country's financial sector."
They say with its update, the FFIEC acknowledges the current threat landscape and "reinforces the need for financial institutions to effectively authenticate customers."
"These FFIEC positions are not surprising in light of (1) the myriad of information security standards in use in the market and (2) financial institutions' use of, and partnership with, third parties (e.g., data aggregators) to provide authentication and access services," the Morrison & Foerster attorneys say in a recent post.
"Fintechs working with financial institutions should expect a push down of enhanced authentication and access requirements," Kaldjob, Mandell and Ross note.