connect

1. What is FDICconnect?

   FDICconnect is the Internet channel for invited institutions to conduct business and exchange information with the FDIC. The secure web site is maintained and operated by the FDIC.

2. Do I need any special equipment or software to use FDICconnect?

   To use FDICconnect, we recommend using Internet Explorer 11 or higher for Windows or Google Chrome version 78.0. The application may be used with other browsers and operating systems, but has not been tested with them. If you are receiving an error message concerning FDICconnect access, please contact the FDICconnect Help Desk via the Contact Us link.

3. I need access to FDICconnect. What do I do?

   FDICconnect is accessible only if your institution is a member of the FDICconnect system and you have an account (email address and password). To register for an account, you will need to complete the FDICconnect registration process by contacting your FDIC POC.

4. I am having trouble with FDICconnect. Who should I contact?

   If you are experiencing transmission issues or other FDICconnect problems, you should contact the FDICconnect Help Desk via the Contact Us link.

1. When the system is not responding to my Email and Password, what should I do?

   The account holder should request the FDICconnect Help Desk to unlock the account via the Contact Us link. Please note if you were locked out while trying to answer the secret question on the password reset screen.

2. I forgot my password, how can it be reset?

   If you have forgotten your password, it can be reset by following these instructions:

   • Click on the Forgot Password link on the FDICconnect Sign In page.
   • Provide your email address.
   • Click the Submit button.
   • Provide the answer to your secret question. The field is not case sensitive.
   • Access the secured link that is sent via email from FDICconnect.
   • Create a new password. (Passwords MUST meet 3 of the 4 requirements listed and cannot contain your first or last name.)
   • Click the Submit button.

   You should see a screen confirming your password change.

You have accessed a computer system owned and operated by the Federal Deposit Insurance Corporation (FDIC). This system may be accessed and used only as authorized by the FDIC. Persons or entities that access this system without authorization may be subject to criminal prosecution. This computer system may be monitored by the FDIC, and all information placed on or sent over this system may be copied, used, or disclosed by the FDIC for all lawful purposes.

Financial institutions are required to manage their relationships with their vendors and service providers to ensure that bank-owned data and customer information (e.g. PII) is adequately protected when entrusted to third parties. This requirement includes using systems for transmitting data to the FDIC. Use of third-party solutions to communicate with the FDIC may be considered by the institution when those systems are addressed as part of the institution's vendor management program¹, and adequately vetted and assessed for risk as required by the Interagency Standards for Information Security² implementing the customer safeguards requirements under the Gramm Leach Bliley Act (GLBA). There are many third-party data storage and sharing solutions that were not developed with the intent of complying with the rigorous requirements under GLBA. Use of non-compliant third-party systems to share sensitive information with the FDIC may subject the institution to supervisory criticism.

To facilitate secure storage and exchange of supervisory and examination materials, the FDIC created FDICconnect. All financial institutions supervised by the FDIC have access to this system. FDICconnect is deemed compliant with supervisory guidance for protecting sensitive information when conducting business with the FDIC.

What is FDICconnect?

FDICconnect (FCX) provides a secure channel for financial institutions, state banking authorities and other organizations to conduct online business with the FDIC. All insured financial institutions are required to register with FCX to download their quarterly deposit insurance assessment statements. The FDIC encourages financial institutions to use FCX to conduct other online business.

Is FCX secure?

Data exchanged via FCX is securely maintained in FDIC information systems (including cloud-hosted FDIC systems) rated at the Federal Information Security Management Act (FISMA) "moderate" risk level. To protect these systems, the FDIC uses a defense in depth approach supported by an alignment to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, FISMA requirements, Federal Risk and Authorization Management Program (FedRAMP) assessments and authorizations, and FDIC-wide directives that guide the operations, roles, and responsibilities of employees and contractors. Among other security controls, FCX leverages two-factor authentication:

• Two-Factor Authentication

  FCX uses two-factor authentication to maintain secure access to the system by providing an additional level of security for all institution information contained in FCX (such as ACH account information and Risk Classification Ratings). Two-factor authentication is required for all external users to access FCX as part of the login process; each user of FCX utilizes a token and one-time password (OTP) for each login to the system. After entering the username and password, users are directed to a two-factor authentication login process that requests the OTP to gain access.

Below is a subset list of additional security controls deployed within FDIC's environment at different layers that are continuously assessed and reviewed:

• Network Controls

  The FDIC has layered controls that ensure a strong perimeter through application and network layer firewalls. The FDIC participates in the federal Einstein program and other federal and commercial services that protect our data and update indicators of compromise that may indicate an attempt to exfiltrate personally identifiable information (PII) or other sensitive information. The FDIC participates in the weekly Department of Homeland Security (DHS) scanning program for Internet-facing systems. The FDIC uses email filtering and secure email transport protocols to ensure the veracity of email being sent into the FDIC to avoid breaches of PII and other sensitive information that can occur from phishing schemes. The FDIC also has tools that inspect email to identify malicious attachments and safely detonate possible malware prior to it being delivered to end users. The FDIC makes extensive use of secure protocols like Transport Layer Security³ (TLS) to ensure that sensitive information being transmitted is encrypted during transmission.

• Access Controls

  The FDIC has an advanced provisioning system, and access to systems must be approved through defined workflow processes prior to that access being authorized. The FDIC also performs access recertification for our systems containing sensitive information at least annually, requiring managers and system owners to re-certify the access privileges of users within their systems. All access granted is logged and monitored to prevent unauthorized access. For internal users, the FDIC requires personal identity verification (PIV) cards for login to its systems, making two-factor authentication a standard for domain authentication.

• Privacy Impact Assessments

  In accordance with federal regulations and mandates⁴, the FDIC conducts Privacy Impact Assessments (PIAs) on systems, business processes, projects and rulemakings that involve an electronic collection, creation, maintenance or distribution of PII. The objective of a PIA is to identify privacy risks and integrate privacy protections throughout the development life cycle of an information system or electronic collection of PII. A completed PIA also serves as a vehicle for building transparency and public trust in government operations by providing public notice to individuals regarding the collection, use and protection of their personal data.

• Integrity Protection

  The FDIC has deployed file integrity monitoring for key files used by applications that process sensitive information. This ensures that information technology staff are promptly notified if critical application and configuration files are corrupted by malware or altered by an unauthorized source. The FDIC has implemented application white-listing and blocking of downloadable executable content from the Internet to ensure that only authorized software runs and that FDIC employees do not fall prey to internet attacks. The FDIC subscribes to services that rate the content and safety of websites; access to any "bad" sites or to sites that have not yet been categorized is blocked. This control interrupts the kill-chain for phishing attacks and prevents against watering-hole attacks⁵ that may otherwise result in information exfiltration.

• Continuous Monitoring

  The FDIC has a 24x7 security operations center (SOC) that is kept informed by its subscriptions to threat intelligence resources and its participation in the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FDIC has a sophisticated security information monitoring platform consisting of multiple tools which are integrated into a single operations center where events that may indicate a threat to FDIC-hosted information are identified, researched, addressed and closed in a timely manner.

• Incident Management

  The FDIC has a dedicated incident response coordinator and incident response team. We have specific breach procedures for PII, and documented incident response processes that include escalation and reporting paths for the United States Computer Emergency Readiness Team (US-CERT) for other security incidents, and for reporting to Congress as required by OMB, DHS, and NIST guidance.

 

¹FFIEC IT Examination Handbook, Outsourcing Technology Services: https://ithandbook.ffiec.gov/

²FDIC Rules and Regulations, Part 364, Appendix B; FIL 22-2001, Customer Information Security Standards; FIL-44-2008 Third-Party Risk Guidance for Managing Third-Party Risk

³TLS is a cryptographic protocol that is designed to provide communications security over a computer network.

⁴For example: Section 208 of the E-Government Act of 2002 requires federal government agencies to conduct a Privacy Impact Assessment (PIA) for all new or substantially changed technology that collects, maintains, or disseminates personally identifiable information (PII). The Privacy Act of 1974 imposes various requirements on federal agencies whenever they collect, create, maintain, and distribute records that can be retrieved by the name of an individual or other personal identifier, regardless of whether the records are in hardcopy or electronic format.

⁵Watering hole is a computer attack strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected.

The FDIC is strongly committed to maintaining the privacy of your personal information. The following discloses our information gathering and dissemination practices for this site. The information the FDIC receives depends upon your actions when visiting the Corporation's web site.

Information Collected About Your Visit to the Web Site

The FDIC automatically collects and stores the following information about you when you visit our Web site:

• The date and time the request was received.
• Your Internet Protocol (IP) address, or the proxy address of your Internet Service Provider (e.g. AOL, CompuServe, and so on).
• The name and IP address of the FDICconnect server that received and logged the request.
• The resource on an FDICconnect server accessed as a result of the request, such as the Web page, image, and so on.
• The query in the request. This field captures any criteria or parameters issued with a query, such as a company name or insurance certificate number.
• The name and version of the your Web browser (e.g. Netscape 4.0).
• The content of any sent or received cookie.
• The Uniform Resource Locator (URL) that was accessed before the user made a request for FDICconnect's Web server. The URL may be an outside address that is not related to the FDICconnect server.
• Other status codes and values resulting from the Web server responding to the request received: HTTP status code, Windows NT code, number of bytes sent, number of bytes received, duration (in seconds) to fulfill the request, server port number addressed, and protocol version.

FDICconnect uses a "cookie", which is a file placed on your computer hard drive, that allows the FDICconnect web server to log the pages you use in the FDICconnect site and to determine if you have visited the site before. The cookie captures no personally identifying information. The FDICconnect server uses this information to provide certain features during your visit to the Web site. You can set your browser to warn you when placement of a cookie is requested, and decide whether or not to accept it. By rejecting a cookie some of the features available on the site may not function properly.

Other than the automatic data collection described above, this site collects no personally identifying information. The sole exception is when you knowingly and voluntarily provide information, such as when you provide contact information on the Evaluate Our Site form, available to FDICconnect institutions. The exception also applies to your use of the FDICconnect Business Center, for which you must have a login account (email address) and password.

The FDIC uses the information we collect for internal system administrative purposes to measure the volume of requests for specific web site pages, and to continually improve the FDICconnect Internet site to be responsive to the needs of users. Your choice to use the FDICconnect Web site or to send electronic mail to FDIC will be considered your consent for the FDIC to use the information collected therefrom as stated in this notice.

Intrusion Detection Monitoring

This government computer system employs software security programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. Such attempts are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act. Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits.

Information Collected From You

You may decide to send the FDIC information, including personally identifying information. The information you supply - whether through a secure Web form, a standard Web form, or by sending an electronic mail message - is maintained by the FDIC for the purpose of processing your request or inquiry. The FDIC also uses the information you supply in other ways to further the FDIC's mission of maintaining stability and public confidence in the nation's banking system.

Various employees of the FDIC may see the information you submit in the course of their official duties. The information may also be shared by the FDIC with third parties to advance the purpose for which you provide the information, including other federal or state government agencies. For example, if you file a complaint, it may be sent to a financial institution for action, or information may be supplied to the Department of Justice in the event it appears that federal criminal statutes have been violated by an entity you are reporting to the FDIC. The primary use of personally identifying information will be to enable the government to contact you in the event we have questions regarding the information you have reported.

Under certain circumstances, the FDIC may be required by law to disclose information you submit to the Corporation, for example, to respond to a Congressional inquiry or subpoena. If you register with an FDIC online mailing list, the information you provide may also be used to send you FDIC communiquor notify you about updates to our web site.

When you choose to send e-mail to the FDIC you are consenting to the FDIC using the information provided therein, including personally identifying information, in accordance with this notice, unless you expressly state in the e-mail your objection to any uses. As required by federal law, Privacy Act statements are located on this web site. Additional notifications are provided in the FDICconnect Business Center regarding use of that secure site.

Contacting the FDIC About This Web Site

If you are concerned about how information about you may have been used in connection with this web site, or you have questions about the FDIC's privacy policy and information practices you should contact:

FDICconnect
Room VS-5240
3501 Fairfax Drive
Arlington, VA 22226

E-mail: fdicconnect@fdic.gov

Electronic mail is not necessarily secure. You should be very cautious when sending electronic mail containing sensitive, confidential information. As an alternative, you should give consideration to sending it by postal mail.