What is FFIEC Compliance?
FFIEC stands for the Federal Financial Institutions Examination Council. FFIEC is an official government body that is responsible for creating standards and report forms that "promote uniformity in the supervision of financial institutions."
FFIEC oversees cybersecurity regulations, housing, and real estate appraisal standards, and virtually every regulation that has to do with financial transactions.
FFIEC compliance affects any bank or financial institution that works with one or more of the following six agencies:
- Board of Governors of the Federal Reserve System (FRB)
- Federal Deposit Insurance Corporation (FDIC)
- National Credit Union Administration (NCUA)
- Office of the Comptroller of the Currency (OCC)
- Consumer Financial Protection Bureau (CFPB)
- State Liaison Committee (SLC)
The above agencies form the FFIEC council. The council develops reporting systems for financial institutions, holding companies, and nonfinancial institution subsidiaries of the institutions above and holding companies.
If your company is active in any of the above fields, you most likely have to be FFIEC compliant. The council can take enforcement actions and orders against financial institutions that fail to meet their FFIEC obligations. These actions depend on the regulator responsible for a particular financial institution.
Let us see what FFIEC compliance entails below.
FFIEC Compliance Key Points
In layman's terms, FFIEC compliance refers to following a set of rules and regulations for online transactions and banking. FFIEC issued those rules in October 2005 in an attempt to reduce red tape and increase security.
FFIEC compliance ensures a certain level of uniformity across different financial services, as well as a minimum standard of security in online transactions. Thanks to FFIEC, consumers can go online with improved confidence that their data is protected.
FFIEC requires all online transactions by financial institutions to be encrypted. Every transaction that falls within the online transaction processing (OLTP) category requires a minimum level of encryption to prevent interception and unauthorized use of data.
Encryption should protect the data from all external threats, but also internal disclosure or insider theft. In short, data should be encrypted even when your company processes it in-house.
The FFIEC standards have multiple requirements. One of the most important requirements is multifactor authentication (MFA).
MFA confirms a user's identity by cross-checking more than one piece of evidence. As hackers today can fabricate fake credentials, MFA is mandatory to ensure a safe banking environment.
MFA uses multiple authentication methods on top of the usual name, password, and ID.
Assessing FFIEC Compliance
FFIEC compliance changes and adapts as a company grows. To ensure that your financial institution is FFIEC compliant, you need to conduct periodic assessments to identify potential security risks and threats.
To this end, FFIEC has created the FFIEC IT Examination Handbook. The handbook includes 11 booklets that cover all aspects of FFIEC compliance. The booklets are comprehensive and following them ensures regulatory compliance.
When some regulation changes or a new one added, the booklets are updated individually. The 11 booklets that make up the FFIEC IT Examination Handbook are:
- Business Continuity Planning
- Development and Acquisition
- Information Security
- Outsourcing Technology Services
- Retail Payment Systems
- Supervision of Technology Service Providers
- Wholesale Payment Systems
Managing Your FFIEC Compliance
If you want to manage FFIEC compliance internally, you will have to track all changes and updates across all 11 booklets. Thankfully, you or your IT specialists can sign up with FFIEC for free newsletter updates to make sure your regulatory compliance is always up to date.
While this is theoretically possible, it is not advisable to deal with that kind of compliance in-house, unless you have a robust IT department.
Instead, it is best to entrust FFIEC compliance to a dependable third-party security provider. Partnering with a specialized security provider will ensure you are always up to date with all regulatory compliance requirements.
Remaining FFIEC compliant is more than just meeting regulatory minimums and avoiding penalties. It is also about maintaining a high standard of security for your customers. FFIEC compliance will increase your reputation and the ranking if your financial services in the market.
How Does Cygilant Help?
Cygilant’s Security Monitoring service helps financial institutions and credit unions address FFIEC compliance by providing 24x7x365 security monitoring that aligns with the security monitoring section of the FFIEC Handbook.
Cygilant’s Vulnerability Management service provides vulnerability detection and remediation guidance designed to help address Host Security and User Equipment FFIEC security assessment requirements.
With the Security Monitoring on-premises deployment option, Cygilant’s SOC team can also proactively assess several additional network security controls, which are based on the SANS/CIS Critical Security Controls, in order to reduce your compliance risk. The security controls are directly mapped to relevant sections of the FFIEC standards.
Our SOC team will work with your organization to enable the reporting you need to help meet your compliance objectives with ease.
Cygilant Helps With FFIEC Security Assessment Requirements
|Relevant Guidance||How Cygilant Helps|
|FFIEC Handbook (II.C.22) states, “Management should use SIEM systems to discern trends and identify potential information security incidents.”||Cygilant Security Monitoring meets all of the criteria and capabilities for continuous security monitoring as defined in Section II.C.22 of the FFIEC Handbook. Cygilant delivers continuous information security monitoring capabilities for credit unions, including both banking and administrative systems.|
|FFIEC Handbook (Objective 6) states that auditors should look for evidence that credit unions “collect data to build metrics and reporting of vulnerability management.”||Cygilant Vulnerability Management meets requirements for continuous detection and reporting on known vulnerabilities.|
|FFIEC Handbook (II.C.10(d)) states, “Management should implement automated patch management systems and software to ensure all network components are appropriately updated.”||Cygilant Patch Management is consistent with FFIEC’s requirements for implementing patches through a change management process. Cygilant ensures that credit union systems are fully patched, addressing critical requirements for reducing risk.|
*Additional controls auditing available with on-premise Security Monitoring deployments
Talk to an Expert
Learn how Cygilant can reduce your security vulnerabilities, improve your security workflow, and help you meet compliance mandates.
Please complete all required fields.