Industry-Wide

On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC) released updated guidance on authentication and access to internet-based financial services. The guidance calls on financial institutions to conduct thorough risk assessments and implement layered security controls, including multi-factor authentication, to protect against unauthorized transactions. It also addresses customer waiver provisions related to liability under UCC Article 4A, noting that courts view compliance with the guidance as a factor in determining commercially reasonable security procedures. For BaaS platforms and sponsor banks, this guidance is significant because it reinforces the expectation of robust authentication controls across all digital banking channels, including those offered through fintech partnerships. Institutions relying on third-party fintech platforms to deliver internet-based services must ensure their authentication frameworks meet these updated standards.

Verified from source: On August 11, 2021, the FFIEC issued new guidance titled 'Authentication and Access to Financial Institution Services and Systems,' replacing prior authentication guidance from 2005 and 2011. The guidance addresses risk management principles for electronic funds transfer authentication, emphasizing multi-factor authentication, layered security, and customer waivers to mitigate unauthorized transaction liability.