FFIEC recommends multi-factor authentication for digital banking services | Weiner Brodsky Kider PC
The Federal Financial Institutions Review Board (FFIEC) recently issued guidelines for financial institutions providing digital banking services. The guide, titled Authentication and access to services and systems of financial institutions, aims to provide digital banking and financial institution systems providers with examples of effective risk management principles and practices for access and authentication. Its main recommendation is the use of multi-factor authentication (MFA) as part of a layered security appliance.
FFIEC’s guidance comes at a time when financial institutions are increasingly vulnerable to data breaches. The COVID-19 pandemic has ushered in an era of extended remote access to information systems and increased use of cloud services. These trends, combined with more sophisticated and scalable methods of infiltration, increase the exposure of users and consumers to attacks. They have also, according to FFIEC, shown the inadequacy of single-factor authentication to provide institutions and customers with robust security.
Faced with this new threat landscape, FFIEC first recommends that financial institutions carry out a risk assessment of emerging authentication threats. Examples of effective risk assessments include: carrying out an inventory of information systems; complete an inventory of digital banking services; identify clients engaged in high risk transactions; and identification of high risk users and / or users. Data from customer fraud reports, cybersecurity, and customer service can help businesses determine which controls need improvement.
The FFIEC then recommends the implementation of layered security protocols. These protocols, by incorporating multiple preventive, detective, and corrective controls, are designed to compensate for potential weaknesses in any control. Layered security controls can include MFA authentication, user timeout, system hardening, network segmentation, monitoring processes, and transaction size limits. Together, these controls mitigate the security risks inherent in the provision of digital banking services.
The FFIEC guide distinguishes the AMF as a particularly effective security measure. MFA authentication requires more than a separate authentication factor and can include stored secrets, search secrets, out-of-band devices, one-time password devices, biometric identifiers, or cryptographic keys. Although some MFA factors are susceptible to attacks, these attacks can be mitigated using hardware and cryptographic factors. The guide also notes that MFA solutions may vary based on the different risks presented by various departments and clients.
Finally, FFIEC recommends a comprehensive customer awareness program to educate customers about authentication risks when using digital banking services. Such a program would teach clients how to determine the legitimacy of financial institution communications, institution security checks, and transaction alerts. The guide notes that failure to market digital banking services that are compatible with the institution’s security risks could raise legal compliance issues.