OCC Bulletin 2021-36 | August 11, 2021

Information Security: FFIEC Statement on Authentication and Access to Financial Institution Services and Systems

To

Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

The Office of the Comptroller of the Currency (OCC), along with the other Federal Financial Institutions Examination Council (FFIEC) members,¹today issued guidance addressing authentication and access to financial institution services and systems. The cybersecurity threat landscape continues to present significant risks to financial institutions, reinforcing the need for financial institutions to effectively authenticate and control access for users and customers to protect information systems, accounts, and data.

The FFIEC guidance provides risk management principles and practices that support a financial institution’s authentication of (1) users accessing financial institution information systems, including employees, board members, third parties, and other systems, and (2) consumer and business customers accessing digital banking services.

Rescissions

The guidance replaces the FFIEC members’ 2005 guidance, “Authentication in an Internet Banking Environment,” and 2011 guidance, “Supplement to Authentication in an Internet Banking Environment.” Also rescinded are OCC Bulletin 2005-35, “Authentication in an Internet Banking Environment: Interagency Guidance,” and OCC Bulletin 2011-26, “Authentication in an Internet Banking Environment: Supplement,” which conveyed the 2005 and 2011 guidance, respectively.

Note for Community Banks

The guidance applies to community banks.²

Highlights

The guidance highlights

the current threat environment, including attacks that leverage compromised user and customer credentials.
the importance of a risk assessment to determine appropriate access and authentication practices for a wider range of users, including customers, employees, third parties, and system and service accounts.
the adoption of layered security as an important security practice and the weaknesses in single factor authentication.
how multifactor authentication or controls of equivalent strength can effectively mitigate customer and user unauthorized access.
the role of monitoring, logging, and reporting to determine whether attempted or realized unauthorized access to information systems and accounts has occurred and to facilitate timely response and investigation of unauthorized activity.
examples of controls used to address risks associated with email systems and internet browsers.
risks associated with call center and information technology help desk authentication.
inclusion of risks associated with data aggregators and other customer-permissioned entities into a bank’s risk management program.
a comprehensive customer awareness program that complements layered security controls and educates customers about a range of authentication risks and other security considerations when using digital banking services.
verification methods to help reduce risk when establishing new customer accounts and when access is first requested for new users of information systems.

The guidance appendix includes examples of authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management.

Further Information

Please contact Norine Richards, Director of Bank Information Technology Policy, or Kevin Greenfield, Deputy Comptroller for Operational Risk, at (202) 649-6550.

Grovetta N. Gardineer
Senior Deputy Comptroller for Bank Supervision Policy