Regulatory Alerts2022-01-01
Circular No. (23/2022): Control of Access to Credit Information Systems
The Palestine Monetary Authority issued Circular No. (23/2022) mandating enhanced security protocols for accessing credit information systems across all specialized lending institutions in Palestine. The directive requires immediate implementation of multi-factor authentication via time-limited email codes, mandatory 60-day password rotations with strict complexity rules, automatic session timeouts after twenty minutes of inactivity, and account suspension after five failed login attempts. Institutions must enforce these measures, clear all user browser data, and disseminate the guidelines by June 12, 2022, under the oversight of the Financial Stability Group.
[Logo of the Palestine Monetary Authority] Palestine Monetary Authority PALESTINE MONETARY AUTHORITY
Circular No. (23/2022) To all specialized lending institutions operating in Palestine Date: Sunday, June 05, 2022
Subject: Control of Access to Credit Information Systems
In order to raise the protection level of credit information systems and enhance the management of the operational risk environment for banks, and based on Palestine Monetary Authority Circular No. (2016/155), please be informed of the following updates to the access mechanisms for credit information systems.
- Verification and Protection of System Access: An authentication window will appear upon opening the system browser and will continuously prompt for an authentication code, which will be sent to the user via email. The authentication code will be valid for 3 minutes from the time the automatic email is sent to the user. Consequently, user system managers are required to audit previously entered user data, specifically the email addresses.
- Password Change: Users are required to change their password upon first use of the systems. The password change screen will be mandatory for existing users starting from 2022/06/12, and upon every reactivation of a username. Users are also required to change their password every 60 days, with a reminder message displayed to users 10 days before the password expires.
- Password Requirements: A strong password must be created, consisting of at least eight characters, including (a number, a symbol, lowercase letters, uppercase letters). Users must avoid using personal data or information contained in the username, and must not use the last four passwords previously used.
- Automatic System Logout: System screens will automatically lock when the user stops using them for more than twenty minutes.
www.pma.ps Ramallah & Al-Bireh Governorate - Palestine P.O. Box 452 Tel: +970 2 2415251 | Fax: +970 2 2415310 Gaza - Palestine P.O. Box 4026 Tel: +970 8 2825713 | Fax: +970 8 2844487 | info@pma.ps
[Logo of the Palestine Monetary Authority] Palestine Monetary Authority PALESTINE MONETARY AUTHORITY
- Number of Failed Login Attempts: The username will be suspended and access to the systems restricted if the password is entered incorrectly five times. It will be reactivated by the user system manager at the institution through a new screen to be added to the user system named (User Activation), which does not require Palestine Monetary Authority approval for activation.
- System Logout: Upon finishing system use, users are required to log out via the top left corner of the screen (logout icon) and not by closing the browser.
- All users must clear their browser data on the morning of Sunday, June 12, 2022.
Please comply with the above guidelines starting from June 12, 2022, and disseminate them to all users of the credit information systems. Should you have any inquiries, please contact the Financial Stability Group / Analysis and Compliance Unit.
[Signature] Financial Stability Group Palestine Monetary Authority
www.pma.ps Ramallah & Al-Bireh Governorate - Palestine P.O. Box 452 Tel: +970 2 2415251 | Fax: +970 2 2415310 Gaza - Palestine P.O. Box 4026 Tel: +970 8 2825713 | Fax: +970 8 2844487 | info@pma.ps