SR 21-14:
Authentication and Access to Financial Institution Services and Systems
OF THE FEDERAL RESERVE SYSTEM
WASHINGTON, D.C. 20551
DIVISION OF
SUPERVISION AND REGULATION
August 11, 2021
TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK
Authentication and Access to Financial Institution Services and Systems
Applicability: This guidance applies to financial institutions supervised by the Federal Reserve, including those with $10 billion or less in total consolidated assets.
The Federal Reserve Board, together with the other members1 of the Federal Financial Institutions Examination Council (FFIEC) (collectively, the agencies) have issued the attached guidance titled “Authentication and Access to Financial Institution Services and Systems” (guidance), which supersedes the titled guidance, “Interagency Guidance on Authentication in an Internet Banking Environment” (SR 05-19); and similarly titled supplemental, “Interagency Supplement to Authentication in an Internet Banking Environment” (SR 11-9) issued by the FFIEC in 2005 and 2011, respectively.
This guidance acknowledges significant risks associated with the cybersecurity threat landscape that reinforce the need for financial institutions to effectively authenticate users and customers2 to protect information systems, accounts, and data.
In particular, the guidance highlights risk management practices that can support oversight of user and customer identification, authentication, and access solutions as part of a financial institution’s information security program. Periodic risk assessments inform financial institution management’s decisions about authentication solutions and controls that are deployed to mitigate identified risks. In particular, the guidance sets forth the agencies’ view on the assessment and implementation of multi-factor authentication (MFA) processes, or controls of equivalent strength, for high-risk activities and transactions and as part of broader layered security strategy.
Finally, the guidance is not intended to serve as a comprehensive framework for identity and access management programs and does not endorse any specific information security framework or standard. The risk management principles set forth in the guidance are relevant whether the financial institution or a third party, on behalf of the financial institution, provides the accessed information systems and authentication controls. The application of the principles and practices in the guidance may vary at financial institutions based on their respective operational and technological complexity, risk assessments, and risk appetites and tolerances.
Federal Reserve examiners will take this guidance into account within the risk-focused supervision process going forward.
Reserve Banks are asked to distribute this letter to the supervised organizations in their districts and to appropriate supervisory staff. Questions regarding this letter may be sent via the Board’s public website.3
signed by
Michael S. Gibson
Director
Division of
Supervision and Regulation
- SR 05-19, "Interagency Guidance on Authentication in an Internet Banking Environment"
- SR 11-9, “Interagency Supplement to Authentication in an Internet Banking Environment”
Notes:
-
The FFIEC comprises the principals of the following: Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Consumer Financial Protection Bureau (CFPB), and State Liaison Committee (SLC). Return to text
-
“Users” and “customers” in the guidance include: (a) users accessing nonpublic financial institution systems such as employees, third parties, service accounts, applications, and devices; and (b) consumer and business customers accessing digital banking services. Return to text