If your last exam included a question about "who has access to what and why," that wasn't a one-off. It traces back to a specific piece of interagency guidance, and examiners have been leaning on it consistently since it was issued. Here's what it actually says, and what an examiner is likely checking for when they ask about it.

The guidance behind the question

In 2021, the FFIEC — jointly representing the OCC, FDIC, Federal Reserve, and NCUA — issued interagency guidance on Authentication and Access to Financial Institution Services and Systems. The headline change was scope: access-risk expectations were extended beyond customers to employees, vendors, third parties, service accounts, and devices. In other words, "access" no longer just means online banking logins. It means every account, human or non-human, that can touch a system tied to customer or financial data.

The FFIEC IT Examination Handbook applies these same expectations regardless of your primary regulator, since the handbook is adopted jointly across agencies. So whether you're OCC, FDIC, Federal Reserve, or NCUA-supervised, the underlying expectation is the same.

Four things examiners are actually checking

1. Have you identified every user and system in scope?

The guidance calls for a risk assessment that identifies all users, systems, and digital banking services requiring authentication controls. Examiners will ask how you arrived at your list of in-scope systems — and whether that list includes ancillary and legacy applications, not just your core platform.

2. Is access assigned on a least-privilege basis?

Least-privilege provisioning means access matches role and need, nothing more. Examiners look for a documented process for granting, changing, and revoking access — including for vendors and third parties, not just employees.

3. Is recertification periodic, not one-time?

A cleanup performed the week before an exam reads very differently from a standing quarterly or semi-annual review cadence with evidence of sign-off. Examiners specifically look for repeatability — can you show the same process ran last cycle, and the cycle before that?

4. Is de-provisioning prompt?

Terminated employees and offboarded vendors are a frequent finding. Examiners will often sample a handful of departures and check how quickly access was removed across every connected system, not just the core platform or email.

The theme across all four questions is the same: examiners aren't just asking whether you have access controls. They're asking whether you can prove it, repeatably, across every system — not just the one that's easiest to pull a report from.

What this means for your next exam

If your current process depends on manually exporting user lists from each system and reconciling them in a spreadsheet, the process itself isn't necessarily a finding — plenty of institutions still run this way. The risk is repeatability and coverage: can you produce the same evidence, for every system, on a predictable schedule, without a scramble each time.

Bring your last exam's access-review questions to a walkthrough

We'll show you what a cross-system access report looks like when it's generated from a single connected view instead of assembled by hand.

Related reading

Sources: FFIEC, Authentication and Access to Financial Institution Services and Systems (2021); FFIEC IT Examination Handbook InfoBase.