Established in 1979, the Federal Financial Institutions Examination Council (FFIEC) is a five-member U.S. Government interagency organization. Its primary role is to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions.
The five banking regulators that form this body include:
In addition to the five primary agencies that provide the FFIEC its mandate, the State Liaison Committee (SLC) has been a voting member since 2006. It is comprised of representatives from:
Meeting FFIEC compliance requires a financial organization to conform to a set of technology standards for online banking issued by the FFIEC in October 2005. Enterprises that need to meet these compliance guidelines must conduct regular comprehensive assessments of their internal environments. The primary purpose of these compliance reviews is to identify any potential security weaknesses or possible threats. In addition to these traditional security measures, the FFIEC released its Cybersecurity Assessment Tool in June 2015. It provides financial institutions with a framework that assesses the state of their information security. The tool itself can be used for internal assessments and provides regulators with a view of the organization’s cybersecurity practices during an audit examination.
On the completion of an FFIEC assessment, the organization needs to set goals, identify solutions, and continue to conduct periodic risk review exercises to maintain an adequate level of security.
Financial institutions that need to comply with the FFIEC’s stipulated guidelines need to understand and implement the requirements and recommendations published in the various InfoBases. Complying with the various FFIEC guidelines requires a comprehensive I.T. security policy encompassing policies and procedures that include but are not limited to:
Federally supervised financial institutions need to comply with the FFIEC’s stipulated guidelines. These include:
As these organization types fall under the mandate of the five primary FFIEC members, they need to institute the appropriate measures to meet their compliance objectives. However, if an organization is related to any federally supervised financial institution in some way, such as a holding company or non-financial subsidiary, that enterprise also needs to follow the guidelines and institute the measures outlined in FFIEC’s compliance requirements.
Failing to comply with the guidelines issued by the FFIEC can result in financial penalties. As the FFIEC is an interagency body that makes the recommendations, it does not have the mandate or authority to issue monetary sanctions directly. However, as its members consist of federal agencies that do have the ability to issue fines, failing to comply with FFIEC guidelines can result in an institution facing a financial penalty of up to $2 million. However, this amount could be significantly more if the organization faces litigation in the federal judicial system for contravening banking regulations.
For example, if the organization under review is a credit union, the National Credit Union Administration (NCUA) has the power to issue administrative orders if the enterprise fails to comply with FFIEC guidelines. Similarly, if the financial institution falls under the auspices of the FDIC, that regulatory body has the statutory authority to terminate the deposit insurance of any insured depository agency.
Organizations that need to comply with the stipulated guidelines published by the FFIEC can benefit from the FFIEC Infobase. Created for field examiners at the financial institution regulatory agencies, this educational reference developed by the FFIEC’s Task Force on Examiner Education can be leveraged as a vital compliance reference. The Infobase itself is an electronic source for training and distributing needed examination information with a long-term objective of providing just-in-time training for new regulations.
Organizations can also leverage the FFIEC Infobase to access specific regulatory concerns issued by the members that make up this governing body. There are a few different InfoBases, each containing content that relates to particular banking regulations.
For example, in 2018, the FFIEC redesigned its BSA/AML InfoBase website that deals with the Bank Secrecy Act and Anti-Money Laundering. The site offers organizations and examiner's manuals, examination procedures, agency resources, and references that deal with these vital banking risks. Financial institutions can access these resources and leverage them to implement the relevant measures that align them with the stipulated FFIEC guidelines.
For information technology guidelines, the FFIEC IT Handbook Infobase offers a variety of resources that range from IT booklets and work programs to information on laws, regulations, and guidance. Financial institutions can utilize these compliance assets to align themselves with the FFIEC guidelines pertaining to their cybersecurity.
The IT Handbook InfoBase offers organizations a wide range of cybersecurity resources they can implement in their enterprises. The Infobase consists of 11 booklets that cover topics ranging from audit and business continuity planning to outsourced technology services and wholesale payment systems.
The IT Handbook InfoBase lays the foundation for IT risk management in the federal banking sector. Due to the increasing pace of change, the FFIEC IT Examination Handbook is a compilation of eleven booklets each covering a specific IT security domain. Splitting the guidelines into these separate booklets allows the FFIEC to update each one as needed, negating the need to reissue the entire InfoBase each time they amend it. The sections below provide a summary of the content covered within each booklet.
The objective of the “Audit Booklet” is to guide an organization in implementing a practical Information Technology audit function. This section of the FFIEC guideline contains the components an organization needs to implement and comprises both the control and substantive elements of this essential function. Topics included in the “Audit Booklet” include:
The primary goal of the “Business Continuity Planning Booklet” is to assist FFIEC examiners in determining the availability of a financial institution’s critical operational services. This guide contains processes and practices in developing a business continuity strategy that includes:
The creation and adoption of policies, standards, and processes such as:
The FFIEC “E-Banking Booklet” provides the guidelines financial institutions can follow to identify and control the risks associated with electronic banking (e-banking) activities. Sections within this booklet cover topics such as:
It also covers the Risk Management of E-Banking activities that include:
The “Development and Acquisition Booklet” covers the FFIEC cybersecurity guidelines for an organization’s software development processes. It also provides the standards an enterprise should follow when acquiring “off-the-shelf” software they intend to be implementing in their operations. This booklet covers everything from the systems development lifecycle to object-oriented programming and subcontracting vendor relationships. These guidelines are all contained within high-level topic sections that include:
The FFIEC “Information Security Booklet” covers all the measures financial institutions need to consider when developing their Information Security Program. It also includes vital governance aspects, such as creating a security culture, assigning responsibility, and allocating accountability. This booklet covers the information security guidelines in detail and includes:
The “Management Booklet” overlaps with several other FFIEC manuals. However, it concentrates on the management aspect paying particular attention to governance, risk, and controls. Elements covered in this booklet include:
The FFIEC guidelines published in the “Operations Booklet,” address the operational information security risks financial institutions face in dealing with potential cybersecurity threats. Like the other booklets in the series, it focuses on the vital procedures an organization needs to consider to address threats proactively. The booklet covers operational elements related to:
The “Outsourcing Technology Services Booklet” provides financial institutions with the FFIEC guidelines on mitigating risk when dealing with third-party IT service providers. It deals with elements such as:
It also deals with other ancillary and complementary topics that include:
The FFIEC guidelines published in the “Retail Payment Systems Booklet” cover information security measures and processes that relate to the inherent risks in retail payment systems. It covers topics such as:
The booklet also looks at retail payment risk management covering elements such as:
The “Wholesale Payment System Booklet” provides guidelines on mitigating risk in systems that process high-value payments. This booklet covers recommendations regarding platforms such as:
This booklet also proposes guidelines on wholesale payment systems risk Management and covers categories that include:
The FFIEC booklet that covers the “Supervision of Technology Service Providers” provides guidelines and recommendations for financial institutions that need to oversee any third-party service providers. The topics covered in this booklet include:
Due to the increasing volume and sophistication of cyber threats that target financial institutions, cybersecurity forms a core component within the FFIEC guidelines. As the primary goal of the FFIEC is to improve the security of financial institutions, identifying potential cybersecurity risks and making recommendations is a crucial part of the compliance process.
As part of its mission to reduce information security risk across the financial services industry, the FFIEC has several compliance initiatives that organizations can leverage to strengthen the security of their systems and processes. These include a Cybersecurity Assessment Tool, the FFIEC IT Handbook InfoBase, and the FFIEC IT Booklets.
The FFIEC Cybersecurity Assessment Tool provides financial institutions with a framework that helps them measure their inherent risk profile and their information security maturity. It provides a framework that enables a repeatable and measurable process that enterprises can leverage for their cybersecurity preparedness.
The assessment measures a financial institution’s inherent risk profile using the following five categories:
The second part of the assessment tool evaluates an institution’s Cybersecurity Maturity Level for the five primary domains, namely:
By evaluating a financial institution’s inherent risk profile and maturity levels across the five cybersecurity domains, the organization can then determine if its maturity levels are appropriate with its calculated risk. If an imbalance exists, the enterprise can then implement measures to either reduce risk or increase their level of maturity.
Complying with the stipulated guidelines published by the FFIEC requires a methodical approach. Organizations should follow a set process that starts with understanding their current state and ends with reevaluating their practices on a set, regular basis.
The first step in determining an organization’s cybersecurity posture is to document its current state. Financial institutions can leverage the FFIEC Cybersecurity Assessment Tool, as well as the content and structure available in its various InfoBases. Using these resources, they can create a template that measures the controls and processes detailed in the FFIEC guidelines.
The next step in the process involves conducting an assessment of the current state of the financial institution’s cybersecurity. Measuring the organization’s cybersecurity processes and measures against the stipulated FFIEC guidelines can help the enterprise identify where their current practices fail to comply. The assessment should include any third-party vendors that provide services to the financial institution.
Following the review and gap analysis, the next step in the FFIEC gap assessment involves preparing an action plan to remediate any issues or shortcomings discovered in the previous phase. As with the other steps in the process, the organization must take a methodical approach to address any gaps that may exist in its cybersecurity processes and practices. Leveraging the NIST cybersecurity framework can help an organization create the structure needed for this phase. A single misconfigured platform or misaligned process could lead to a data breach or system compromise.
The final step in the FFIEC gap assessment process is to implement the action plans formulated in the previous phase. It is important for any cybersecurity measure to have the support of every function within the organization. Management needs to take a leadership role in driving these initiatives as the ultimate success lies in the ongoing evaluation of their cybersecurity measures. As cyber threats are continuously evolving, all financial institutions need to embrace a cybersecurity culture to protect themselves and their customers from possible compromise.
Every regulated financial institution needs to evaluate their inherent risk and cybersecurity maturity. While the FFIEC may not have the mandate to impose any sanctions, failing to comply with the standards set by this multi-body organization can result in one of its members taking further punitive measures. However, financial institutions should not only view FFIEC compliance as a mandatory process to avoid sanctions but as a tool to improve the security processes of their business. By leveraging elements such as the various Infobases, the FFIEC booklets, and Cybersecurity Assessment tool, organizations can take active steps to mitigate their risk while instilling good information security practices in their enterprise.