FFIEC Issues Statement on Safeguarding the Cybersecurity of Interbank Messaging and Payment Networks

The Federal Financial Institutions Examination Council (FFIEC) members today advised financial institutions, consistent with existing regulatory expectations, to actively manage the risks associated with interbank messaging and wholesale payment networks. In a statement, the FFIEC also stressed that financial institutions should review risk-management practices and controls related to information technology systems and wholesale payment networks, including risk assessment; authentication, authorization and access controls; monitoring and mitigation; fraud detection; and incident response.

The joint statement notes that recent cyber attacks have targeted interbank messaging and wholesale payment functions at financial institutions to originate unauthorized transactions. These unauthorized transactions may subject a bank that originates such transactions to losses and compliance risk.  This statement does not contain new regulatory expectations. It is intended to alert financial institutions to specific risk mitigation techniques related to cyber attacks exploiting vulnerabilities and unauthorized entry through trusted client terminals running messaging and payment networks.

Financial institutions may find additional information on risk management and cybersecurity threat management on the FFIEC’s website at http://www.ffiec.gov/cybersecurity.htm. The joint statement may be found athttp://www.ffiec.gov/press/PDF/Cybersecurity_of_IMWPN.pdf.


Credit unions should review their risk management practices (including services provided to clients) and refer to the appropriate FFIEC IT Examination Handbook booklets referenced in this statement for information on regulatory expectations regarding IT risk management. Credit unions should also review and adhere to the technical guidance issued by payments and settlement networks for managing and controlling risks to critical systems.

Passwords to access the blog posts, and blog posts are only for NWCG owners and retained clients. These should not be shared outside of the credit union. Blog posts generally contain only a summary of any requirements, and do not represent all potential impact on the credit unions. For further details on any blog post, contact NWCG or references cited in the blog post. The information contained on this site is provided for informational purposes only, and should not be construed as legal advice.

Leave a Reply

Your email address will not be published. Required fields are marked *