How Banks Can Respond to New FFIEC Guidelines

The Federal Financial Institutions Examination Council (FFIEC) recently announced new guidelines for 2021 ― the first update in a decade. The new guidelines aim to bring clarity to what effective risk management principles look like in a financial institution setting. 

You can review the entire set of guidelines, Authentication and Access to Financial Institution Services and Systems, or keep reading for our highlights of the new FFIEC guidelines and best practices for how banks can respond and adapt.

What’s Included in the New FFIEC Guidelines?

Previous FFIEC guidelines focused on authentication of customers in the online banking environment. These guidelines were later updated to reflect the high-risk nature of all online transactions, with layered authentication controls remaining key.

The new FFIEC guidelines align with today’s fraud and risk technologies that declassify all online transactions and access as being high-risk. Modern tools allow financial institutions to take a more nuanced approach to identifying online risks.

Some of the areas addressed include:

• Conducting a risk assessment on all customers for authentication and access to digital banking systems
• Verifying the identity of customers and users
• Identifying customers engaged in high-risk transactions that require enhanced controls, such as multi factor authentication
• Evaluating the effectiveness of enhanced controls
• Implementing layered security to reduce unauthorized access
• Logging, monitoring, and reporting suspicious activities 
• Identifying and mitigating risks related to email systems, internet access, and access to a financial institution’s information systems

The FFIEC also named specific access and authentication controls that banks should consider employing, including device-based authentication, limits on log-in attempts, and single-use passwords. 

The guidelines state that this is not intended to serve as a framework. However, it does provide a good starting place for exploring risk management principles and practices.

The Next Step Under FFIEC Requirements

Understanding the guidance provided by the FFIEC is the first step. The next priority is to decide the best ways to apply it. 

Now is a good time to reassess your existing authentication and access frameworks and evaluate how they align with the new guidance. 

For example, one key area is to increase scrutiny on internal users and third-party vendors. With access to critical information systems, banks need to apply the same level of authentication internally as they do to their customers.

Education and ongoing risk assessments will also play a role. The risk landscape and criminals’ approaches continue to evolve, which means your security measures must adapt over time, too. Independent risk assessments can help FIs gain a different perspective and ensure no gaps are left behind.

How DataVisor Helps Banks Align with FFIEC Guidelines

As a comprehensive fraud and risk management tool, DataVisor helps financial institutions to maintain a high level of security and risk management. DataVisor ingests data from multiple sources and enriches it with machine learning to develop deeper, specific insights. 

With the ability to find unknown connections and monitor millions of data points in real time, banks can apply authentication best practices across the enterprise to maintain high security standards for internal members and third-party vendors alike.

Learn more about how DataVisor is contributing to a safer financial industry.