<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">

Get a copy of this guide delivered straight to your inbox.

1. What is the FFIEC?

Established in 1979, the Federal Financial Institutions Examination Council (FFIEC) is a five-member U.S. Government interagency organization. Its primary role is to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions.

The five banking regulators that form this body include:

  • The Board of Governors of the Federal Reserve System (FRB) 
  • The Federal Deposit Insurance Corporation (FDIC) 
  • The National Credit Union Administration (NCUA) 
  • The Office of the Comptroller of the Currency (OCC)
  • The Consumer Financial Protection Bureau (CFPB)

In addition to the five primary agencies that provide the FFIEC its mandate, the State Liaison Committee (SLC) has been a voting member since 2006. It is comprised of representatives from:

  • The Conference of State Bank Supervisors (CSBS) 
  • The American Council of State Savings Supervisors (ACSSS) 
  • The National Association of State Credit Union Supervisors (NASCUS)

2. FFIEC Compliance

Meeting FFIEC compliance requires a financial organization to conform to a set of technology standards for online banking issued by the FFIEC in October 2005. Enterprises that need to meet these compliance guidelines must conduct regular comprehensive assessments of their internal environments. The primary purpose of these compliance reviews is to identify any potential security weaknesses or possible threats. In addition to these traditional security measures, the FFIEC released its Cybersecurity Assessment Tool in June 2015. It provides financial institutions with a framework that assesses the state of their information security. The tool itself can be used for internal assessments and provides regulators with a view of the organization’s cybersecurity practices during an audit examination.

On the completion of an FFIEC assessment, the organization needs to set goals, identify solutions, and continue to conduct periodic risk review exercises to maintain an adequate level of security.

Financial institutions that need to comply with the FFIEC’s stipulated guidelines need to understand and implement the requirements and recommendations published in the various InfoBases. Complying with the various FFIEC guidelines requires a comprehensive I.T. security policy encompassing policies and procedures that include but are not limited to:

  • Disaster recovery and business continuity
  • Secure software development and procurement practices
  • Comprehensive information security policies and procedures
  • Vendor management
  • Regular cybersecurity assessments, audits, and reviews

3. Who Needs to Comply with FFIEC Requirements??

Federally supervised financial institutions need to comply with the FFIEC’s stipulated guidelines. These include:

  • State-chartered banks that are members of the Federal Reserve System
  • Bank holding companies
  • Thrift holding companies 
  • Foreign banking organizations that have a: 
    • Branch agency 
    • Commercial lending company subsidiary 
    • Bank subsidiary in the United States 

As these organization types fall under the mandate of the five primary FFIEC members, they need to institute the appropriate measures to meet their compliance objectives. However, if an organization is related to any federally supervised financial institution in some way, such as a holding company or non-financial subsidiary, that enterprise also needs to follow the guidelines and institute the measures outlined in FFIEC’s compliance requirements.

it security risk assessment finance

3a. What if you don't comply with FFIEC?

Failing to comply with the guidelines issued by the FFIEC can result in financial penalties. As the FFIEC is an interagency body that makes the recommendations, it does not have the mandate or authority to issue monetary sanctions directly. However, as its members consist of federal agencies that do have the ability to issue fines, failing to comply with FFIEC guidelines can result in an institution facing a financial penalty of up to $2 million. However, this amount could be significantly more if the organization faces litigation in the federal judicial system for contravening banking regulations.

For example, if the organization under review is a credit union, the National Credit Union Administration (NCUA) has the power to issue administrative orders if the enterprise fails to comply with FFIEC guidelines. Similarly, if the financial institution falls under the auspices of the FDIC, that regulatory body has the statutory authority to terminate the deposit insurance of any insured depository agency.

4. The FFIEC Infobase

Organizations that need to comply with the stipulated guidelines published by the FFIEC can benefit from the FFIEC Infobase. Created for field examiners at the financial institution regulatory agencies, this educational reference developed by the FFIEC’s Task Force on Examiner Education can be leveraged as a vital compliance reference. The Infobase itself is an electronic source for training and distributing needed examination information with a long-term objective of providing just-in-time training for new regulations. 

Organizations can also leverage the FFIEC Infobase to access specific regulatory concerns issued by the members that make up this governing body. There are a few different InfoBases, each containing content that relates to particular banking regulations. 

For example, in 2018, the FFIEC redesigned its BSA/AML InfoBase website that deals with the Bank Secrecy Act and Anti-Money Laundering. The site offers organizations and examiner's manuals, examination procedures, agency resources, and references that deal with these vital banking risks. Financial institutions can access these resources and leverage them to implement the relevant measures that align them with the stipulated FFIEC guidelines.

5. An Overview of the FFIEC IT Booklets

For information technology guidelines, the FFIEC IT Handbook Infobase offers a variety of resources that range from IT booklets and work programs to information on laws, regulations, and guidance. Financial institutions can utilize these compliance assets to align themselves with the FFIEC guidelines pertaining to their cybersecurity. 

The IT Handbook InfoBase offers organizations a wide range of cybersecurity resources they can implement in their enterprises. The Infobase consists of 11 booklets that cover topics ranging from audit and business continuity planning to outsourced technology services and wholesale payment systems.

6. A Look Into the FFIEC IT Booklets

The IT Handbook InfoBase lays the foundation for IT risk management in the federal banking sector. Due to the increasing pace of change, the FFIEC IT Examination Handbook is a compilation of eleven booklets each covering a specific IT security domain. Splitting the guidelines into these separate booklets allows the FFIEC to update each one as needed, negating the need to reissue the entire InfoBase each time they amend it. The sections below provide a summary of the content covered within each booklet.

6.a) Audit


The objective of the “Audit Booklet” is to guide an organization in implementing a practical Information Technology audit function. This section of the FFIEC guideline contains the components an organization needs to implement and comprises both the control and substantive elements of this essential function. Topics included in the “Audit Booklet” include:

  • IT audit roles and responsibilities
  • Independence and staffing of the internal IT audit function
  • The creation and implementation of an internal audit program
  • Conducting risk assessment and risk-based auditing
  • Audit participation in application development, acquisition, conversions, and testing
  • Outsourcing internal IT audit
  • Third-Party reviews of technology service providers

6.b) Business Continuity Planning

The primary goal of the “Business Continuity Planning Booklet” is to assist FFIEC examiners in determining the availability of a financial institution’s critical operational services. This guide contains processes and practices in developing a business continuity strategy that includes:

  • The business continuity planning process
  • Conducting a business impact analysis
  • Performing a risk assessment
  • Formulating a risk management strategy
  • Risk monitoring and testing

The creation and adoption of policies, standards, and processes such as:

  • Security standards
  • Project management
  • Change control policies
  • Data synchronization procedures
  • Crisis management
  • Incident response
  • Remote access
  • Employee training
  • Notification standards
  • Insurance
  • Government and community

6.c) E-Banking

The FFIEC “E-Banking Booklet” provides the guidelines financial institutions can follow to identify and control the risks associated with electronic banking (e-banking) activities. Sections within this booklet cover topics such as:

  • The definition of e-banking
  • The e-banking components
  • E-Banking support services
  • E-Banking risks

It also covers the Risk Management of E-Banking activities that include:

  • Board and management oversight
  • Managing outsourcing relationships
  • The creation of an information security program
  • Administrative controls
  • Legal and compliance issues

6.d) Development and Acquisition

The “Development and Acquisition Booklet” covers the FFIEC cybersecurity guidelines for an organization’s software development processes. It also provides the standards an enterprise should follow when acquiring “off-the-shelf” software they intend to be implementing in their operations. This booklet covers everything from the systems development lifecycle to object-oriented programming and subcontracting vendor relationships. These guidelines are all contained within high-level topic sections that include:

  • Project management
  • Development procedures
  • Acquisition
  • Maintenance

6.e) Information Security

The FFIEC “Information Security Booklet” covers all the measures financial institutions need to consider when developing their Information Security Program. It also includes vital governance aspects, such as creating a security culture, assigning responsibility, and allocating accountability. This booklet covers the information security guidelines in detail and includes:

  • Risk identification
  • Risk measurement
  • Risk mitigation
  • Security operations
  • Measuring the effectiveness of the information security program

6.f) Management

The “Management Booklet” overlaps with several other FFIEC manuals. However, it concentrates on the management aspect paying particular attention to governance, risk, and controls. Elements covered in this booklet include:

  • IT governance
  • IT responsibilities and functions
  • Operational risk
  • IT risk management
  • Monitoring and reporting

6.g) Operations


The FFIEC guidelines published in the “Operations Booklet,” address the operational information security risks financial institutions face in dealing with potential cybersecurity threats. Like the other booklets in the series, it focuses on the vital procedures an organization needs to consider to address threats proactively. The booklet covers operational elements related to:

  • Roles and responsibilities
  • Risk identification involving environmental surveys and technology inventory
  • Risk assessment
  • Risk monitoring and reporting
  • Risk mitigation and control implementation which includes items such as:
  • Policies, standards, and procedures
  • Controls implementation
  • Physical and logical security
  • Database management
  • Personnel controls
  • Change management
  • Information distribution and transmission
  • Storage, backup, and the disposal of media
  • Event and problem management
  • User support and help desk

6.h) Outsourcing Technology Services

The “Outsourcing Technology Services Booklet” provides financial institutions with the FFIEC guidelines on mitigating risk when dealing with third-party IT service providers. It deals with elements such as:

  • Risk assessment and requirements 
  • Service provider selection
  • Contract issues
  • Ongoing monitoring

It also deals with other ancillary and complementary topics that include:

  • Business continuity planning 
  • Outsourcing the business continuity function
  • Information security and safeguarding
  • Multiple service provider relationships
  • Outsourcing to foreign service providers

New call-to-action

6.i) Retail Payment Systems

The FFIEC guidelines published in the “Retail Payment Systems Booklet” cover information security measures and processes that relate to the inherent risks in retail payment systems. It covers topics such as:

  • Payment instruments, clearing, and settlement that include:
  • Check-based payments
  • Check clearing houses
  • The Automated Clearing House (ACH)
  • Card-based electronic payments
  • Emerging retail payment technologies such as contactless payment cards

The booklet also looks at retail payment risk management covering elements such as:

  • Payment system risk policies
  • Operational risk which overlaps with other booklets in the series
  • Retail payment instrument specific risk management controls for checks, cards, and EFTs, amongst others.

6.j) Wholesale Payment Systems

The “Wholesale Payment System Booklet” provides guidelines on mitigating risk in systems that process high-value payments. This booklet covers recommendations regarding platforms such as:

  • Interbank payment and messaging systems such as the Fedwire Fund Service and the National Settlement Service
  • Securities settlement systems such as the Fixed Income Clearing Corporation and Depository Trust Company
  • Intrabank payment messaging systems which cover inhouse terminals and computer and network operations

This booklet also proposes guidelines on wholesale payment systems risk Management and covers categories that include:

  • Payments System Risk (PSR) policy
  • Reputation risk
  • Strategic risk
  • Credit risk
  • Liquidity risk
  • Legal and compliance risk
  • Operational and transaction risk

6.k) Supervision of Technology Service Providers

The FFIEC booklet that covers the “Supervision of Technology Service Providers” provides guidelines and recommendations for financial institutions that need to oversee any third-party service providers. The topics covered in this booklet include:

  • The creation of a supervisory policy
  • Implementation of supervisory programs
  • Roles and responsibilities
  • Risk-based supervision controls

7. FFIEC and Cybersecurity

7.a) Overview

Due to the increasing volume and sophistication of cyber threats that target financial institutions, cybersecurity forms a core component within the FFIEC guidelines. As the primary goal of the FFIEC is to improve the security of financial institutions, identifying potential cybersecurity risks and making recommendations is a crucial part of the compliance process. 

As part of its mission to reduce information security risk across the financial services industry, the FFIEC has several compliance initiatives that organizations can leverage to strengthen the security of their systems and processes. These include a Cybersecurity Assessment Tool, the FFIEC IT Handbook InfoBase, and the FFIEC IT Booklets.

7.b) Cybersecurity Assessment Tool

The FFIEC Cybersecurity Assessment Tool provides financial institutions with a framework that helps them measure their inherent risk profile and their information security maturity. It provides a framework that enables a repeatable and measurable process that enterprises can leverage for their cybersecurity preparedness

The assessment measures a financial institution’s inherent risk profile using the following five categories:

  • Technologies and connection types
  • Delivery channels
  • Online/Mobile products and technology services
  • Organizational characteristics
  • External threats

The second part of the assessment tool evaluates an institution’s Cybersecurity Maturity Level for the five primary domains, namely:

  • Cyber risk management and oversight
  • Threat intelligence and collaboration
  • Cybersecurity controls
  • External dependency management
  • Cyber incident management and resilience

By evaluating a financial institution’s inherent risk profile and maturity levels across the five cybersecurity domains, the organization can then determine if its maturity levels are appropriate with its calculated risk. If an imbalance exists, the enterprise can then implement measures to either reduce risk or increase their level of maturity.

8. Steps in an FFIEC Gap Assessment

Complying with the stipulated guidelines published by the FFIEC requires a methodical approach. Organizations should follow a set process that starts with understanding their current state and ends with reevaluating their practices on a set, regular basis.

8.a) Step 1 – Document the current state of the financial institution

The first step in determining an organization’s cybersecurity posture is to document its current state. Financial institutions can leverage the FFIEC Cybersecurity Assessment Tool, as well as the content and structure available in its various InfoBases. Using these resources, they can create a template that measures the controls and processes detailed in the FFIEC guidelines.

8.b) Step 2 – Review and document gaps between the current state and what is required by FFIEC guidance as provided in the IT booklets

The next step in the process involves conducting an assessment of the current state of the financial institution’s cybersecurity. Measuring the organization’s cybersecurity processes and measures against the stipulated FFIEC guidelines can help the enterprise identify where their current practices fail to comply. The assessment should include any third-party vendors that provide services to the financial institution.

8.c) Step 3 – Prepare an action plan to remediate the gaps

Following the review and gap analysis, the next step in the FFIEC gap assessment involves preparing an action plan to remediate any issues or shortcomings discovered in the previous phase. As with the other steps in the process, the organization must take a methodical approach to address any gaps that may exist in its cybersecurity processes and practices. Leveraging the NIST cybersecurity framework can help an organization create the structure needed for this phase. A single misconfigured platform or misaligned process could lead to a data breach or system compromise.

8.d) Step 4 – Work with management to implement remediation actions

The final step in the FFIEC gap assessment process is to implement the action plans formulated in the previous phase. It is important for any cybersecurity measure to have the support of every function within the organization.  Management needs to take a leadership role in driving these initiatives as the ultimate success lies in the ongoing evaluation of their cybersecurity measures. As cyber threats are continuously evolving, all financial institutions need to embrace a cybersecurity culture to protect themselves and their customers from possible compromise.

9. Leveraging FFIEC Compliance to Promote Good Security Practices

Every regulated financial institution needs to evaluate their inherent risk and cybersecurity maturity. While the FFIEC may not have the mandate to impose any sanctions, failing to comply with the standards set by this multi-body organization can result in one of its members taking further punitive measures. However, financial institutions should not only view FFIEC compliance as a mandatory process to avoid sanctions but as a tool to improve the security processes of their business. By leveraging elements such as the various Infobases, the FFIEC booklets, and Cybersecurity Assessment tool, organizations can take active steps to mitigate their risk while instilling good information security practices in their enterprise.


Still need some clarity on FFIEC Compliance?