Financial Institution Focus: FFIEC Compliance for Cloud Technology
Financial institutions have a distinctive set of requirements when looking at technology. Not only are they looking for efficiency gains through automating back-office activities, but they also need to balance that with the risk of introducing new vendors and processes into the mix.
FIs are held to a higher standard than other industries. To ensure they’re maintaining FFIEC compliance (Federal Financial Institutions Examination Council) with additional rigor, structure, and reporting means that they need extra process layers on top. These types of processes can add friction to the system, slowing things down, creating errors, and unreliable reporting.
Cloud Technology and Security Come with their Own Requirements
As the saying goes, everyone has a boss (or stakeholder). If you’re a bank, mortgage provider, or financial service company, your boss is your customer; for a credit union, your bosses are your members. As a bank or credit union, when you take a deposit from a customer, there is a legal and inherent agreement that you will provide security around that person’s savings.
To safeguard the service you provide, you built systems and processes to ensure there is accurate accounting for all money as it flows through the system and what you said happened, actually happened. When you are introducing new processes it’s important to evaluate how well those fit in the current control environment and that you are meeting the commitments to your stakeholders. We have covered how you can evaluate SaaS software in another article, but knowing that FIs have a specific set of requirements and regulations to adhere to, it’s important to consider your provider’s understanding of those requirements as well.
An FFIEC audit is one of the most important compliance events for North American banks and credit unions. These audits also come with an information technology risk component. There are several domains associated with an FFIEC audit, and mapping provider controls to FFIEC elements helps provide confidence.
- Domain 1: Cyber Security Risk Management and Oversight
- Domain 2: Threat Intelligence and Collaboration
- Domain 3: Cybersecurity Controls
- Domain 4: External Dependency Management
- Domain 5: Cyber Incident Management and Resilience
Financial Services – Information Sharing and Analysis Center (FS-ISAC)
We all learn from those that came before us and by being part of a community. The FS-ISAC community consists of over 16,000 active users across 70 countries who meet to network on cyber threat anticipation, risk mitigation, and response. When you are evaluating solutions, knowing a vendor is plugged into this community can help provide additional comfort in their participation in the most up-to-date security and compliance specific for FIs.
Risk Questionnaire (Sig Lite, CAIQ)
RFPs and questionnaires are commonplace when evaluating cloud technology and security. When it comes to vendor risk management and compliance, there are two popular questionnaires: the Sig Lite, and the Consensus Assessments Initiative Questionnaire (CAIQ). Both provide a comprehensive look at the vendor’s security posture so you can make the best assessment for your organization and your customers or members.
SOC 1 (Type II) and SOC 2 (Type II) audits
Last but certainly not least, SOC stands for Service Organization Control (type 1 and 2). SOC reports provide assurance that you have a secure chain with solid financial and security controls in place upstream and downstream. You should insist that your current and prospective providers (and their data center providers) make their SOC 1 and SOC 2 reports available to you.
The Blueprint for Excellence with FFIEC Compliance
In 2021, Trintech kicked off an effort to apply an FFIEC compliance blueprint to ensure that our information technology controls had clean alignment with the guidance given in the latest FFIEC IT Examination Handbook. Our goal is to ensure excellence in our own environment while helping our financial institution customers attain great outcomes of their own.
We take a customer-centric approach to compliance by extending our controls and audits to meet the needs of our customer’s regulatory compliance needs. Our approach to the financial institution market is an example of where our customer’s desired outcomes have impacted the way we approach compliance.
Written by: Michael Uram