The Federal Financial Institutions Examination Council (FFIEC) members today advised financial institutions, consistent with existing regulatory expectations, to actively manage the risks associated with interbank messaging and wholesale payment networks. In a statement, the FFIEC also stressed that financial institutions should review risk-management practices and controls related to information technology systems and wholesale payment networks, including risk assessment; authentication, authorization and access controls; monitoring and mitigation; fraud detection; and incident response.

The joint statement notes that recent cyber attacks have targeted interbank messaging and wholesale payment functions at financial institutions to originate unauthorized transactions. These unauthorized transactions may subject a bank that originates such transactions to losses and compliance risk.  This statement does not contain new regulatory expectations. It is intended to alert financial institutions to specific risk mitigation techniques related to cyber attacks exploiting vulnerabilities and unauthorized entry through trusted client terminals running messaging and payment networks.

Financial institutions may find additional information on risk management and cybersecurity threat management on the FFIEC’s website at http://www.ffiec.gov/cybersecurity.htm. The joint statement may be found athttp://www.ffiec.gov/press/PDF/Cybersecurity_of_IMWPN.pdf.

Credit unions should review their risk management practices (including services provided to clients) and refer to the appropriate FFIEC IT Examination Handbook booklets referenced in this statement for information on regulatory expectations regarding IT risk management. Credit unions should also review and adhere to the technical guidance issued by payments and settlement networks for managing and controlling risks to critical systems.