Category: Quick Bytes

16 Jun 2022
E-Banking Booklet

FFIEC Cancels E-Banking Handbook

On May 13, 2022, the FFIEC very quietly rescinded the FFIEC Information Technology Examination Handbook (IT Handbook) booklet entitled E-Banking.  The original booklet was released in 2003 and was accompanied by a flurry of activity by financial institutions to come up with a separate E-banking policy and risk assessment.  In effect, the FFIEC is now declaring (admitting?) that these are no longer necessary because all the basic risk management principles that apply to E-Banking are already addressed in other Handbooks.  Operational risk is addressed in the Business Continuity Management Handbook, information security risk is addressed in the Information Security Handbook, cyber risk is assessed in the Cybersecurity Assessment Tool, and third-party risk is addressed here, here, and here

We agree with this approach, and have long held that separately addressing each new emerging or evolving technology was cumbersome, duplicative, and unnecessary.  In our opinion, shifting the focus of the handbooks to basic risk management principles and best practices that can apply to all business processes makes more sense and is long overdue. Could the Wholesale and Retail Payment Systems handbooks be phased out next?  How about the Cybersecurity Assessment Tool?  Since cybersecurity is simply a subset of information security more broadly, could we see a phase-out of a separate cyber assessment?  Or even better, could we see the Information Security Handbook include a standardized risks and controls questionnaire that includes cyber?

Admittedly this is only one less policy and one less risk assessment, but we’ll be watching this trend with great interest. Anything that can help ease the burden on overworked compliance folks is a welcome change!

17 Aug 2021
Mobile Authentication

New FFIEC Guidance for Access and Authentication

In response to an expanded cybersecurity threat landscape, the FFIEC just issued an update to agency expectations for access and authentication to financial institution products and systems. This update replaces both the 2005 and the 2011 authentication guidance, and has been extended beyond digital banking (ebanking) customers to include everyone and everything that might have access, such as employees, third parties, and system-to-system communications. Perhaps in recognition of the highly outsourced and interconnected nature of these services, the guidance makes it clear that the guidance is applicable “…whether the financial institution or a third party, on behalf of the financial institution, provides the accessed information systems and authentication controls.” (Emphasis added.)

The new guidance recognizes that the potential access points by which an attacker might compromise an institution have greatly increased due to new technologies and remote access capabilities and because of this, existing authentication methods (like single-factor authentication) may no longer be sufficient. They also cite recent data breaches at financial institutions as well as their service providers, such as credit bureaus. They strongly suggest that multi-factor authentication (MFA) in combination with other layered controls like least-privilege user access can be more effective at mitigating risks.

As with everything else, this should be supported by a risk assessment, both prior to implementation of the service and/or authorization of access, and periodically thereafter. The assessment should include inputs enterprise-wide and from a range of business functions, and include the following elements:

  • The sources of risk, such as:
    • An inventory of all information systems and components
    • All digital products and customers, as well as all high-risk customers1
    • All users accessing the system, including employees, service accounts, and third-parties
    • All high-risk users2
  • The reasonably foreseeable threats to the risk sources
  • The practices and controls employed to address the threats

Fully half of the guidance consists of an appendix with examples of practices and controls in the following areas:

  • Authentication Solutions
  • Password Controls
  • Access and Transaction Controls
  • Customer Call Centers and IT Help Desks Controls
  • Customer Controls
  • Transaction Logging and Monitoring Controls
  • System Access Controls for Users
  • Privileged User Controls
  • System and Network Design and Architecture Controls
  • Email Systems Controls
  • Internet Browser Controls

We expect that regulators will be scrutinizing your access and authentication practices, and our advice is (based on the results of your risk assessment) to use this appendix as a checklist of controls you either have already implemented, or plan to implement.

1 High risk customers are those that initiate high dollar amount and high volume of transactions, where the sensitivity and amount of information accessed is higher, the irrevocability of the transaction, and the likelihood and impact of fraud.
2 High risk users are those with access to critical systems and data; privileged users, including security administrators; remote access to information systems; and key positions such as senior management.