FFIEC Recommends Multi-Factor Authentication for Digital Banking Services

The Federal Financial Institutions Examination Council (FFIEC) recently issued guidance for financial institutions providing digital banking services. The guidance, titled Authentication and Access to Financial Institution Services and Systems, aims to provide those providing digital banking services and financial institution systems with examples of effective risk management principles and practices for access and authentication.  Its primary recommendation is the use of Multi-Factor Authentication (MFA) as part of a layered security apparatus.

The FFIEC’s guidance comes at a time when financial institutions are increasingly vulnerable to data breaches.  The COVID-19 pandemic ushered in an era of expanded remote access to information systems and increased use of cloud services.  These trends, combined with more sophisticated and evolving methods of infiltration, heighten users and consumers’ exposure to attack.  They have also, in the FFIEC’s view, shown the inadequacy of single-factor authentication to provide institutions and customers with robust security.

In the face of this new threat landscape, FFIEC first recommends that financial institutions conduct a risk assessment of emerging authentication threats.  Examples of effective risk assessments include: conducting an inventory of information systems; conducting an inventory of digital banking services; identifying customers engaged in high-risk transactions; and identifying users and/or high-risk users. Data from customer fraud reports, cybersecurity, and customer service can help firms determine those controls in need of improvement.

The FFIEC then recommends the implementation of layered security protocols.  These protocols, by incorporating multiple preventative, detective, and corrective controls, are designed to compensate for potential weaknesses in any one control.  Layered security controls may include MFA, user time-out, system hardening, network segmentation, monitoring processes, and transaction amount limits.  Together, these controls mitigate the inherent security risks involved in providing digital banking services.

The FFIEC’s guidance singles out MFA as a particularly effective security measure.  MFA requires more than one distinct authentication factor and may include memorized secrets, look-up secrets, out-of-band devices, one-time password devices, biometrics identifiers, or cryptographic keys.  Although certain MFA factors are susceptible to attacks, such attacks can be diminished by using hardware and cryptographic factors.  The guidance also notes that MFA solutions may vary depending on different risks presented by various services and customers.

Finally, the FFIEC recommends a comprehensive customer awareness program to educate customers about authentication risks when using digital banking services.  Such a program would explain to customers how to determine the legitimacy of communications from the financial institution, the institution’s security controls, and transaction alerts.  The guidance notes that failing to market digital banking services consistent with the institution’s security risks could raise legal compliance issues.