An official website of the United States government
Parts of this site may be down for maintenance from Thursday, December 19, 9:00 p.m. Sunday, December 22, 9:00 a.m. (Eastern).
OCC Bulletin 2021-36 | August 11, 2021
Share This Page:
Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Office of the Comptroller of the Currency (OCC), along with the other Federal Financial Institutions Examination Council (FFIEC) members,1 today issued guidance addressing authentication and access to financial institution services and systems. The cybersecurity threat landscape continues to present significant risks to financial institutions, reinforcing the need for financial institutions to effectively authenticate and control access for users and customers to protect information systems, accounts, and data.
The FFIEC guidance provides risk management principles and practices that support a financial institution’s authentication of (1) users accessing financial institution information systems, including employees, board members, third parties, and other systems, and (2) consumer and business customers accessing digital banking services.
The guidance replaces the FFIEC members’ 2005 guidance, “Authentication in an Internet Banking Environment,” and 2011 guidance, “Supplement to Authentication in an Internet Banking Environment.” Also rescinded are OCC Bulletin 2005-35, “Authentication in an Internet Banking Environment: Interagency Guidance,” and OCC Bulletin 2011-26, “Authentication in an Internet Banking Environment: Supplement,” which conveyed the 2005 and 2011 guidance, respectively.
The guidance applies to community banks.2
The guidance highlights
The guidance appendix includes examples of authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management.
Please contact Norine Richards, Director of Bank Information Technology Policy, or Kevin Greenfield, Deputy Comptroller for Operational Risk, at (202) 649-6550.
Grovetta N. Gardineer Senior Deputy Comptroller for Bank Supervision Policy
1 The FFIEC comprises the principals of the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee.
2 “Banks” refers collectively to national banks, federal savings associations, and federal branches and agencies of foreign banking organizations.