Justification Memo IT Forum on Authentication

January 16, 2020

Memorandum to: Samuel Wice

Policy Analyst

Office of Information and Regulatory Affairs

Office of Management and Budget

Executive Office of the President                            

From: Manny Cabeza

Regulatory Counsel

Assessments and Legislation Group

Legal Division

Federal Deposit Insurance Corporation      

RE: Federal Financial Institutions Examination Council 2020 Authentication Forum

The FDIC, on behalf of the Federal Financial Institution Examination Council (FFIEC) and its constituent federal agencies, is requesting approval of a generic qualitative survey under its currently approved “Information Collection for Qualitative Research” (OMB Control Number 3064-0198) for the FFIEC’s 2020 Information Technology Authentication Forum. The FFIEC’s Authentication in an Internet Banking Environment was last updated in 2011. During the last decade, the cybersecurity threat landscape and authentication technologies have evolved. There are reports in recent years that customer accounts have been compromised by phishing, credential stuffing, and other attack methods that exploit weaker authentication controls. During the last decade, there also has been an increase in the third-party access to financial institutions’ electronic banking systems, such as via customer permissioned data aggregators and third-party application program interfaces.

The FDIC and the FFIEC are hosting this Authentication Forum in order to obtain views from a range of stakeholders regarding current and evolving authentication risks and controls.

The FFIEC and the Member Agencies will use information from the Authentication Forum, as well as other information and supervisory experience, to consider in 2020 whether to update the Authentication Guidance and/or other supervisory guidance for financial institutions.

The FFIEC and its Member Agencies are interested in the attendees’ input and views on authentication-related issues, such as:

• current and evolving threat information, metrics, and attack vectors which target (i) authentication controls for customer account access, and (ii) employee/vendor authentication controls for access to financial institutions’ systems.

• examples of effective authentication controls or practices to safeguard against these current and evolving threats.

• examples of controls or practices that are now viewed as ineffective in light of evolved threats.

• risks and controls associated with customer permissioned third parties.

• changes in industry frameworks and U.S. and foreign laws impacting financial institution approaches to customer authentication and employee/vendor access authentication controls.

The qualitative survey will be administered by a facilitator at a forum attended by a focus group consisting of invited representatives from institutions supervised by the FFIEC Member Agencies, financial institution trade associations, consumer group representatives, and subject matter experts from think-tanks and consultancies. The survey will be deployed one time and the estimated burden associated with the event is as follows:

Estimated number of respondents 70

Estimated time to respond 6 hours

Total Estimated Annual Burden 420 hours.

If you have any questions, please let me know. Thank you for your consideration.