The Federal Financial Institutions Examination Council (FFIEC) is an interagency body established to define and enforce uniform principles, standards, and report forms for financial institutions.
Who oversees it?
A Board of Governors comprised of members of the Federal Reserve Board, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currents, and the Consumer Financial Protection Bureau.
Who does it apply to?
National banks and their subsidiaries, state banks, bank holding companies, savings and loan holding companies, branches and agencies of foreign banking organizations, and credit unions.
How does it impact IT professionals?
In June 2013, the FFIEC created the Cybersecurity and Critical Infrastructure Working Group to identify gaps in protection and strengthen the oversight of cybersecurity readiness. MSPs may be called upon to help their financial services clients built a robust security infrastructure to protect sensitive financial data and customer records.
What do your clients need to be FFIEC compliant?
The FFIEC can audit a financial institution at any time. In order to pass an FFIEC audit, the financial institution must have a documented Information Security Policy in place with proof of a recent Security Risk Assessment. In addition to these requirements, financial organizations must meet the regulatory requirements of any organizations (such as the FRB, FDIC, etc.) with direct oversight of the institution.
What are the dangers of not being FFIEC compliant?
The FFIEC does not impose fines and sanction directly. However, failure to pass an FFIEC audit can result in fines and sanctions from the Federal Reserve Board, Federal Deposit Insurance Corporation, and the National Credit Union Administration. Fines can range from $10,000 to $1,000,000 per incident, with sanctions up to and including dissolving the offending institution.
FFIEC Compliance Services at a Glance
MSPs can help their clients by implementing and maintaining a robust Information Security Policy and providing support services in the form of regular risk assessments and vulnerability audits. Being able to prove that an institution is proactive regarding their information security will go a long way toward meeting the requirements of an FFIEC audit.