The Federal Audit Council for Financial Institutions (FFIEC) recently published a guide for financial institutions that offer digital banking services. The instructions with the title Authentication and access to services and systems of financial institutions, aims to provide examples of effective risk management principles and practices for access and authentication to those offering digital banking services and financial institution systems. His primary recommendation is to use Multi-Factor Authentication (MFA) as part of a layered security apparatus.
The FFIEC guidelines come at a time when financial institutions are increasingly vulnerable to data breaches. The COVID-19 pandemic ushered in an era of extended remote access to information systems and increased use of cloud services. These trends, combined with more sophisticated and evolving methods of infiltration, make users and consumers more vulnerable to attack. According to the FFIEC, they have also shown that one-factor authentication is not enough to provide institutions and customers with robust security.
In light of this emerging threat landscape, FFIEC recommends that financial institutions first conduct a risk assessment of emerging authentication threats. Examples of effective risk assessments are: taking an inventory of information systems; Inventory of digital banking services; Identifying clients involved in high risk transactions; and identifying users and / or high risk users. Data from customer fraud reports, cybersecurity, and customer service can help organizations identify which controls need improvement.
The FFIEC then recommends the implementation of multi-layered security protocols. These protocols are intended to compensate for potential weaknesses in each individual control by including several preventive, detective and corrective controls. Layered security controls can include MFA, user timeout, system hardening, network segmentation, monitoring processes, and transaction amount limits. Together, these controls mitigate the inherent security risks associated with the provision of digital banking services.
The FFIEC guidelines highlight MFA as a particularly effective security measure. MFA requires more than one unique authentication factor and can include stored secrets, look-up secrets, out-of-band devices, one-time password devices, biometric identifiers, or cryptographic keys. While certain MFA factors are vulnerable to attack, the use of hardware and cryptographic factors can reduce such attacks. The guidelines also indicate that MFA solutions may vary based on the different risks of different services and customers.
Finally, the FFIEC recommends a comprehensive customer awareness program to educate customers about authentication risks when using digital banking services. Such a program would explain to customers how to determine the legitimacy of communications from the financial institution, the institution’s security controls, and transaction alerts. The guidelines indicate that failure to market digital banking services in line with the institution’s security risks could lead to compliance issues.