connect

1. I need access to FDICconnect. What do I do?

   Because of the secure nature of the system, your institution must follow the registration process as described in the New Account Registration Instructions page.

2. Can our institution register more than one Coordinator?

   Yes. We suggest that institutions register one primary Coordinator and at least one back up for times when the primary person is unavailable due to vacation, travel, etc.

3. How many users can we register with FDICconnect?

   There is no set limit on the number of users an institution may register with FDICconnect; however, in the interest of security, we suggest that only those users who will regularly be completing transactions for the institution be given access. Permission to complete transactions may be granted or revoked on a temporary basis for users who only need to access the system occasionally.

1. What is FDICconnect?

   FDICconnect is the new Internet channel for FDIC-insured institutions to conduct business and exchange information with the FDIC. The secure web site is maintained and operated by the FDIC. You are viewing the FDICconnect system.

2. Do I need any special equipment or software to use FDICconnect?

   To use FDICconnect, you will need a browser that supports 256-bit SSL (Secure Sockets Layer) version 3/TLS. OpenSSL technology is not used for encryption and data transmission between banking institutions and the FDIC. We recommend using Google Chrome version 78.0 or Internet Explorer 11 or higher for Windows. The application may be used with other browsers and operating systems, but has not been tested with them. If you are receiving an error indicating your browser does not support the required level of SSL, you should consult your organization's technical support provider and consider upgrading your browser. For users who require a screen reader for accessibility purposes, FDICconnect supports JAWS version 5 or higher. The application may be used with other screen readers, but has not been tested with them.

3. Do I need a User ID to use FDICconnect?

   The secure business transaction site, or Business Center, is accessible only if your institution is a member of the FDICconnect system and you have an account (email address and password). To register, complete the FDICconnect registration process. For details on the registration process, visit the New Account Registration Instructions page.

   After you register, your access must be authorized by your institution's FDICconnect coordinator. Your coordinator can provide you with more information about the access process. If your institution does not currently have a Designated Coordinator, please follow the steps in the New Account Registration Instructions page.

4. I've forgotten my password. What do I do?

   You will need to reset your password. Click on the Forgot password? link on the Sign In page. You will be asked for identifying information. You will receive an email with a secured link, which will allow you to update your password.

5. I've received a message that my account is locked. What should I do?

   If your account is locked, it will need to be restored by the FDIC. Please contact the FDICconnect Help Desk via the Contact Us link. You will need to include your login email address so that we can process the request. Please do not include your password.

6. My email address has changed since setting up my FDICconnect account, can I update the email associated with my account?

   Yes, bank users can update the email addresses tied to their FDICconnect accounts. To update your FDICconnect email address, first login using your original credentials, including email address, password. Next, navigate to the User Functions section of the Business Center Menu and select Change Email. Complete the Change Email form and select Update. Use your new email address and existing password to access FDICconnect going forward.

   Please note: After updating the email address associated with your FDICconnect account, you will be prompted to setup a new multifactor authentication token upon next login.

You have accessed a computer system owned and operated by the Federal Deposit Insurance Corporation (FDIC). This system may be accessed and used only as authorized by the FDIC. Persons or entities that access this system without authorization may be subject to criminal prosecution. This computer system may be monitored by the FDIC, and all information placed on or sent over this system may be copied, used, or disclosed by the FDIC for all lawful purposes.

Financial institutions are required to manage their relationships with their vendors and service providers to ensure that bank-owned data and customer information (e.g. PII) is adequately protected when entrusted to third parties. This requirement includes using systems for transmitting data to the FDIC. Use of third-party solutions to communicate with the FDIC may be considered by the institution when those systems are addressed as part of the institution's vendor management program¹, and adequately vetted and assessed for risk as required by the Interagency Standards for Information Security² implementing the customer safeguards requirements under the Gramm Leach Bliley Act (GLBA). There are many third-party data storage and sharing solutions that were not developed with the intent of complying with the rigorous requirements under GLBA. Use of non-compliant third-party systems to share sensitive information with the FDIC may subject the institution to supervisory criticism.

To facilitate secure storage and exchange of supervisory and examination materials, the FDIC created FDICconnect. All financial institutions supervised by the FDIC have access to this system. FDICconnect is deemed compliant with supervisory guidance for protecting sensitive information when conducting business with the FDIC.

What is FDICconnect?

FDICconnect (FCX) provides a secure channel for financial institutions, state banking authorities and other organizations to conduct online business with the FDIC. All insured financial institutions are required to register with FCX to download their quarterly deposit insurance assessment statements. The FDIC encourages financial institutions to use FCX to conduct other online business.

Is FCX secure?

Data exchanged via FCX is securely maintained in FDIC information systems (including cloud-hosted FDIC systems) rated at the Federal Information Security Management Act (FISMA) "moderate" risk level. To protect these systems, the FDIC uses a defense in depth approach supported by an alignment to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, FISMA requirements, Federal Risk and Authorization Management Program (FedRAMP) assessments and authorizations, and FDIC-wide directives that guide the operations, roles, and responsibilities of employees and contractors. Among other security controls, FCX leverages two-factor authentication:

• Two-Factor Authentication

  FCX uses two-factor authentication to maintain secure access to the system by providing an additional level of security for all institution information contained in FCX (such as ACH account information and Risk Classification Ratings). Two-factor authentication is required for all external users to access FCX as part of the login process; each user of FCX utilizes a token and one-time password (OTP) for each login to the system. After entering the email address and password, users are directed to a two-factor authentication login process that requests the OTP to gain access.

Below is a subset list of additional security controls deployed within FDIC's environment at different layers that are continuously assessed and reviewed:

• Network Controls

  The FDIC has layered controls that ensure a strong perimeter through application and network layer firewalls. The FDIC participates in the federal Einstein program and other federal and commercial services that protect our data and update indicators of compromise that may indicate an attempt to exfiltrate personally identifiable information (PII) or other sensitive information. The FDIC participates in the weekly Department of Homeland Security (DHS) scanning program for Internet-facing systems. The FDIC uses email filtering and secure email transport protocols to ensure the veracity of email being sent into the FDIC to avoid breaches of PII and other sensitive information that can occur from phishing schemes. The FDIC also has tools that inspect email to identify malicious attachments and safely detonate possible malware prior to it being delivered to end users. The FDIC makes extensive use of secure protocols like Transport Layer Security³ (TLS) to ensure that sensitive information being transmitted is encrypted during transmission.

• Access Controls

  The FDIC has an advanced provisioning system, and access to systems must be approved through defined workflow processes prior to that access being authorized. The FDIC also performs access recertification for our systems containing sensitive information at least annually, requiring managers and system owners to re-certify the access privileges of users within their systems. All access granted is logged and monitored to prevent unauthorized access. For internal users, the FDIC requires personal identity verification (PIV) cards for login to its systems, making two-factor authentication a standard for domain authentication.

• Privacy Impact Assessments

  In accordance with federal regulations and mandates⁴, the FDIC conducts Privacy Impact Assessments (PIAs) on systems, business processes, projects and rulemakings that involve an electronic collection, creation, maintenance or distribution of PII. The objective of a PIA is to identify privacy risks and integrate privacy protections throughout the development life cycle of an information system or electronic collection of PII. A completed PIA also serves as a vehicle for building transparency and public trust in government operations by providing public notice to individuals regarding the collection, use and protection of their personal data.

• Integrity Protection

  The FDIC has deployed file integrity monitoring for key files used by applications that process sensitive information. This ensures that information technology staff are promptly notified if critical application and configuration files are corrupted by malware or altered by an unauthorized source. The FDIC has implemented application white-listing and blocking of downloadable executable content from the Internet to ensure that only authorized software runs and that FDIC employees do not fall prey to internet attacks. The FDIC subscribes to services that rate the content and safety of websites; access to any "bad" sites or to sites that have not yet been categorized is blocked. This control interrupts the kill-chain for phishing attacks and prevents against watering-hole attacks⁵ that may otherwise result in information exfiltration.

• Continuous Monitoring

  The FDIC has a 24x7 security operations center (SOC) that is kept informed by its subscriptions to threat intelligence resources and its participation in the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FDIC has a sophisticated security information monitoring platform consisting of multiple tools which are integrated into a single operations center where events that may indicate a threat to FDIC-hosted information are identified, researched, addressed and closed in a timely manner.

• Incident Management

  The FDIC has a dedicated incident response coordinator and incident response team. We have specific breach procedures for PII, and documented incident response processes that include escalation and reporting paths for the United States Computer Emergency Readiness Team (US-CERT) for other security incidents, and for reporting to Congress as required by OMB, DHS, and NIST guidance.

 

¹FFIEC IT Examination Handbook, Outsourcing Technology Services: https://ithandbook.ffiec.gov/

²FDIC Rules and Regulations, Part 364, Appendix B; FIL 22-2001, Customer Information Security Standards; FIL-44-2008 Third-Party Risk Guidance for Managing Third-Party Risk

³TLS is a cryptographic protocol that is designed to provide communications security over a computer network.

⁴For example: Section 208 of the E-Government Act of 2002 requires federal government agencies to conduct a Privacy Impact Assessment (PIA) for all new or substantially changed technology that collects, maintains, or disseminates personally identifiable information (PII). The Privacy Act of 1974 imposes various requirements on federal agencies whenever they collect, create, maintain, and distribute records that can be retrieved by the name of an individual or other personal identifier, regardless of whether the records are in hardcopy or electronic format.

⁵Watering hole is a computer attack strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected.

The FDIC is strongly committed to maintaining the privacy of your personal information. The following discloses our information gathering and dissemination practices for this site. The information the FDIC receives depends upon your actions when visiting the Corporation's web site.

Information Collected About Your Visit to the Web Site

The FDIC automatically collects and stores the following information about you when you visit our Web site:

• The date and time the request was received.
• Your Internet Protocol (IP) address, or the proxy address of your Internet Service Provider (e.g. AOL, CompuServe, and so on).
• The name and IP address of the FDICconnect server that received and logged the request.
• The resource on an FDICconnect server accessed as a result of the request, such as the Web page, image, and so on.
• The query in the request. This field captures any criteria or parameters issued with a query, such as a bank name or insurance certificate number.
• The name and version of the your Web browser (e.g. Netscape 4.0).
• The content of any sent or received cookie.
• The Uniform Resource Locator (URL) that was accessed before the user made a request for FDICconnect's Web server. The URL may be an outside address that is not related to the FDICconnect server.
• Other status codes and values resulting from the Web server responding to the request received: HTTP status code, Windows NT code, number of bytes sent, number of bytes received, duration (in seconds) to fulfill the request, server port number addressed, and protocol version.

FDICconnect uses a "cookie", which is a file placed on your computer hard drive, that allows the FDICconnect web server to log the pages you use in the FDICconnect site and to determine if you have visited the site before. The cookie captures no personally identifying information. The FDICconnect server uses this information to provide certain features during your visit to the Web site. You can set your browser to warn you when placement of a cookie is requested, and decide whether or not to accept it. By rejecting a cookie some of the features available on the site may not function properly.

Other than the automatic data collection described above, this site collects no personally identifying information. The sole exception is when you knowingly and voluntarily provide information, such as when you provide contact information on the Evaluate Our Site form, available to FDICconnect institutions. The exception also applies to your use of the FDICconnect Business Center, for which you must have a login account (email address) and password.

The FDIC uses the information we collect for internal system administrative purposes to measure the volume of requests for specific web site pages, and to continually improve the FDICconnect Internet site to be responsive to the needs of users. Your choice to use the FDICconnect Web site or to send electronic mail to FDIC will be considered your consent for the FDIC to use the information collected therefrom as stated in this notice.

Intrusion Detection Monitoring

This government computer system employs software security programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. Such attempts are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act. Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits.

Information Collected From You

You may decide to send the FDIC information, including personally identifying information. The information you supply - whether through a secure Web form, a standard Web form, or by sending an electronic mail message - is maintained by the FDIC for the purpose of processing your request or inquiry. The FDIC also uses the information you supply in other ways to further the FDIC's mission of maintaining stability and public confidence in the nation's banking system.

Various employees of the FDIC may see the information you submit in the course of their official duties. The information may also be shared by the FDIC with third parties to advance the purpose for which you provide the information, including other federal or state government agencies. For example, if you file a complaint, it may be sent to a financial institution for action, or information may be supplied to the Department of Justice in the event it appears that federal criminal statutes have been violated by an entity you are reporting to the FDIC. The primary use of personally identifying information will be to enable the government to contact you in the event we have questions regarding the information you have reported.

Under certain circumstances, the FDIC may be required by law to disclose information you submit to the Corporation, for example, to respond to a Congressional inquiry or subpoena. If you register with an FDIC online mailing list, the information you provide may also be used to send you FDIC communiquor notify you about updates to our web site.

When you choose to send e-mail to the FDIC you are consenting to the FDIC using the information provided therein, including personally identifying information, in accordance with this notice, unless you expressly state in the e-mail your objection to any uses. As required by federal law, Privacy Act statements are located on this web site. Additional notifications are provided in the FDICconnect Business Center regarding use of that secure site.

Contacting the FDIC About This Web Site

If you are concerned about how information about you may have been used in connection with this web site, or you have questions about the FDIC's privacy policy and information practices you should contact:

FDICconnect
Room VS-5240
3501 Fairfax Drive
Arlington, VA 22226

E-mail: fdicconnect@fdic.gov

Electronic mail is not necessarily secure. You should be very cautious when sending electronic mail containing sensitive, confidential information. As an alternative, you should give consideration to sending it by postal mail.