Welcome to the Research Assistant Weekly Newsletter - a subscriber-only resource for insight into emerging compliance challenges, details on peer calls, and links to new Research Assistant reports, documents, tools, and more.

Sponsored by TCN and Finvi

Please complete our Research Assistant Survey: Help Us, Help You!

2022 has seen the release of new and more restrictive multi-factor requirements in the financial industries, including:

• The FTC Safeguards rule requires covered financial institutions to implement multi-factor authentication for anyone accessing customer information.

• PCI 4.0 Requirement 8.4 requires that all users accessing the Cardholder Data Environment must now be authenticated using Multi-Factor Authentication.

What is Multi-factor? Multi-factor, or MFA, is an authentication method in which a user is granted access to a website, network, or application only after successfully presenting two or more pieces of evidence (or factors) in order to access the data/resource.

The FTC Safeguards rule and The PCI Security Standards Council define acceptable evidence as at least 2 of these 3 factors:

• Knowledge factor (something only the user knows such as a password or PIN)

• Possession factor (something only the user has such as a third-party authenticator app, a token, or a USB hardware device)  

• Inherence factor (something only the user is, such as a fingerprint)

Factors must be independent of each other to be considered multi-factor. This means that each cannot depend on access to any other factor so that should one become compromised, the breach wouldn’t affect the integrity or confidentiality of any other factor.

Example: You used your smartphone (possession factor) to receive an authentication code that you used to access a laptop in conjunction with a username and password (knowledge factor). If your password was discovered or captured, it wouldn’t lead directly to access to the laptop if the attacker was not able to intercept or access the authentication code.

Ultimately MFA protects networks and user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

 Top Reads: 

• Vital and Worthless: How Indemnity Clauses Mean Everything and Nothing to the TCPAWorld All at the Same Time

• Massachusetts AG Reaches $12 Million Settlement With Consumer Debt Buyer

Upcoming Webinars/ Other Announcements:

• Reminder: Send any topics or questions that you want to discuss to sara@insidearm.com by Thursday to ensure it makes it on our agenda!