Banking and Finance: FFIEC Compliance

Duo Security helps banks, investment funds, and other financial institutions protect their data and their customers with strong two-factor authentication. Duo integrates with servers, VPNs, and web applications to provide the security needed to comply with FFIEC and PCI standards.

Duo can be used to protect administrative access to internal systems, and can also be integrated with user-facing systems to provide two-factor authentication for banking customers. Since users can enroll themselves and register their own devices, institutions can let their customers opt-in to strong authentication.

FFIEC At a Glance

The Federal Financial Institutions Examination Council (FFIEC) is the governing body works to promote uniformity and consistency in the supervision of financial institutions, including recommendations to keep web-based financial services secure.

They provide an IT infobase outlining resources for audits, business continuity planning, e-banking, information security, retail payment systems, wholesale payment systems and more at ithandbook.ffiec.gov.

The FFIEC provides guidance on security in the retail, consumer, business and commercial online banking industry, including a risk management framework for financial institutions that offer online banking to customers.

Two-Factor Authentication and FFIEC

For online banking security controls, the FFIEC issued a supplement to their 2005 online banking authentication document in 2011, Supplement to Authentication in an Internet Banking Environment, in an effort to keep up with changes in the threat landscape, including new malware.

This document recommends creating a layered security program to authenticate customers that need to access web-based financial services.

One of those effective controls include:

The use of dual customer authorization through different access devices.

The FFIEC also states that single-factor authentication is not adequate for:

In order to guard against malicious attempts to compromise authentication methods and gain unauthorized access to customers’ online accounts, the FFIEC recommends the use of several different controls, since financial institutions shouldn’t rely solely on any single control for authorizing high risk transactions.

Some of these other controls include:

With two-factor authentication that allows users to verify logins and transactions with the use of their personal mobile devices, this satisfies the FFIEC’s recommendation for out-of-band verification. According to the supplement:

Out-of-band authentication means that a transaction that is initiated via one delivery channel (e.g., Internet) must be re-authenticated or verified via an independent delivery channel (e.g., telephone) in order for the transaction to be completed. Out-of-band authentication is becoming more popular given that customer PCs are increasingly vulnerable to malware attacks.

Two-Factor Authentication for FFIEC Vendors

When a financial institution outsources services to vendors and third-parties, compliance requirements are transferred, meaning contractors need to have the same level of security internally as the financial organization they support.

Third-parties may include retail payment services that support core processing operations. Vendors should do a risk assessment of their own companies and ensure they are following recommended and best practice security guidelines given by the FFIEC.

Since two-factor authentication is recommended for financial institutions as an authentication control, it is also recommended for any vendors that support financial institutions.

FFIEC Compliance Resources

Authenticating E-Banking Customers - The FFIEC provides IT guidance in their infobase on the risk management of online banking activities by outlining the different authentication controls necessary for authentication security.
Supplement to Authentication in an Internet Banking Environment (PDF) - The FFIEC released a supplemental document to reinforce the Guidance’s risk management framework and update recommendations on customer authentication, layered security and other controls as malicious online attacks increase.
Vendor and Third-Party Management - Security recommendations from the FFIEC for financial institutions that outsource to vendors and third-parties.