The Problem
Access control findings appear on more examination reports than almost any other issue. And unlike complex technical vulnerabilities, most access control problems stem from process failures that are entirely within an institution’s control: accounts that weren’t disabled when an employee left, system access that was never scoped down after a role change, shared credentials that no one has bothered to eliminate, and user access reviews that exist on paper but haven’t been completed in two years.
The frustrating part is that these gaps often aren’t discovered internally — they show up when examiners pull a user access report and start asking questions. At that point, the institution is explaining after the fact rather than demonstrating proactive control.
Why Smaller Institutions Are Particularly Exposed
Larger institutions typically have dedicated identity and access management (IAM) teams, automated provisioning workflows, and regular audit processes baked into their operations. Smaller institutions often manage user access manually — a spreadsheet, a shared HR inbox, and an IT generalist who handles everything from desktop support to core banking access.
When access management is manual, it is vulnerable to the gaps that come with manual processes: turnover, competing priorities, and the simple fact that revoking access for a departing employee is less urgent than every other thing on the IT staff’s plate the week someone leaves. Multiply that by a few years of staff turnover, and the access sprawl can be significant.
What Examiners Are Looking For
Timely Termination of Access
Examiners will pull a list of recently terminated employees and compare it against active system accounts. The question is simple: how long did it take to disable access after termination, and is that documented? For involuntary terminations, same-day revocation is the standard expectation. For voluntary departures, anything beyond 24–48 hours requires explanation. A documented termination procedure that includes a technology access checklist — and evidence that it’s being followed — is what they want to see.
Least Privilege
The principle of least privilege holds that users should have access only to what they need to do their jobs — nothing more. Examiners evaluate whether access permissions are role-based and appropriately scoped. A loan officer with administrative rights to the core banking system, or a teller with access to the general ledger, are the kinds of mismatches that generate findings. Role definitions and the access entitlements that accompany them should be documented and consistently applied.
Privileged Access Management
Administrative and privileged accounts receive heightened scrutiny. Examiners want to see that privileged access is restricted to personnel who genuinely require it, that shared administrative accounts are eliminated or strictly controlled, that privileged sessions are logged, and that privileged account credentials are rotated on a documented schedule. Multi-factor authentication for all privileged access is now effectively a baseline expectation.
Periodic User Access Reviews
Most institutions have a policy requiring periodic user access reviews — typically annually at minimum, with semi-annual or quarterly reviews for privileged accounts. Examiners will ask for documentation that these reviews actually occurred: who performed the review, what systems were covered, what access was modified or removed as a result, and who approved the review. A policy that requires annual reviews but no evidence of the last review having taken place is a common finding.
Contractor and Vendor Access
Third-party access is a distinct risk category. Contractors, vendors, and MSP personnel with remote access to institution systems should be subject to the same provisioning and deprovisioning controls as employees — and in practice, they often aren’t. Examiners will ask for a list of active third-party access accounts and may compare it against your active vendor list. Stale accounts belonging to vendors whose contracts have ended are a straightforward finding with clear remediation.
How to Get Ahead of It
Build a Formal Offboarding Checklist
The single highest-value access control improvement most institutions can make is a formal, documented offboarding checklist that includes technology access as a required step. HR should trigger this process and confirm completion before final pay is issued. The checklist should cover every system the employee had access to — core banking, email, remote access, third-party platforms, and any shared credentials the employee was party to.
Conduct a User Access Certification
Pull a full user access report for your core systems and have each department manager certify that their staff’s access is appropriate for their current role. This one-time exercise typically surfaces more stale or excessive access than any audit. Document the certification, the changes made, and who reviewed and approved. Then put it on a recurring schedule.
Eliminate Shared Accounts
Shared accounts make accountability impossible. If an action is taken under a shared credential, you cannot determine who took it. Examiners understand the operational pressures that lead to shared accounts, but they expect a documented plan to eliminate them. Even if full elimination takes time, having a remediation plan in place and documented is far better than having none.
Practical Checklist
- Formal offboarding procedure includes technology access revocation with documented completion
- Terminated employee access reviewed and confirmed disabled within policy-defined timeframes
- User access roles defined in writing with access entitlements documented per role
- Least privilege applied and validated for all user accounts across critical systems
- Privileged and administrative accounts inventoried and restricted to personnel with a documented business need
- Multi-factor authentication enabled for all privileged and remote access
- Shared accounts eliminated or subject to a documented remediation plan with a target date
- Periodic user access reviews documented with results and management approval on file
- Third-party and contractor access accounts inventoried and reviewed at least annually