What Do the FFIEC IT Handbook Updates Really Mean?

On June 30, 2021, the FFIEC issued a new booklet in the FFIEC Information Technology Handbook (FFIEC IT Handbook) series entitled, “Architecture, Infrastructure, and Operations” (AIO). Great, you might say … translation, please?

The Federal Financial Institutions Examination Council (FFIEC) makes available a series of 11 booklets that comprise the IT Handbook. The AIO booklet replaces the former Operations booklet that was issued in 2004 and contains new guidance using a risk-based approach to the architecture, infrastructure, and operations of financial institutions, which have changed significantly over the last 17 years. The new booklet also:

1. Ensures that your safety and soundness, consumer protection, and resiliency documentation is current (and available for examiner review).
2. Discusses risk mitigation related to the design and implementation of technology.
3. Provides guidelines for the evaluation of financial products and service delivery and governance, risk management, and oversight of evolving technologies.
4. Aligns with related examination procedures contained in the Information Security, Outsourcing Technology Services, Management, and Business Continuity Management

There are 18 objectives listed in the examination procedures work program including (but not limited to):

• Responsibility, accountability, and resources to support AIO functions
• Data governance and management
• Alignment of IT architecture with business objectives
• Asset management processes to track, manage and report on IT assets
• Change management
• Oversight of third-party service providers
• Remote access and personally owned devices
• Architecture planning and design
• Infrastructure hardware, software, environmental, and physical access controls
• Reduction of potential operational failures and minimizing the impact of issues that occur
• Cloud computing, zero trust architecture, microservices, artificial intelligence, and the Internet of Things (IoT)

Guidance Begins at the Top

Admittedly, I haven’t had the attention span to read the entire 164-page document myself. That said, it’s apparent to me that it’s all about governance, risk, and compliance. It’s about effective strategies for management to align IT with their business objectives. It’s about delineating roles and responsibilities. Wouldn’t you know, the first few sections of the FFIEC IT Handbook covers governance, responsibilities, and alignment.

Let’s take a look at the expectations.

• Section I reminds us that management must oversee their technology from design to build to ongoing management and maintenance in:
  • Network and application design
  • Selection and placement of physical and virtual technologies and
  • The overall infrastructure that supports their operations

They warn that inadequate handling of these guidelines could lead to increased risk in other areas of the financial institution such as credit, liquidity, operational, compliance, and reputation.

Where have we seen this before? Oh right, Business Continuity Management, which is an enterprise-wide activity – not just the IT Department’s sole responsibility. The AIO booklet reinforces that goal of including all stakeholders in the process and not assuming that the IT Department carries this burden on their backs alone.

• Section II moves further into Governance of the AIO. Specifically, the ongoing support of operational needs and mitigation of risks related to architecture, infrastructure, and operations through:
  • Reports on AIO activities provided to the Board of Directors (BoD) on a regular basis including meeting minutes and issue tracking activities
  • Alignment of AIO practices with strategic plans, risk appetite, and enterprise risk management
  • Incorporation of AIO into the budget approval process
  • Education to ensure management is equipped to carry out their responsibilities and the BoD is prepared to review performance through audits, testing results, assessments, and reports

They further define activities that management should take to provide proper oversight regarding validation, assessment of risks, continuous improvements, and integration between architecture, infrastructure, and operations.

Examples are provided of titles often used to assume responsibility for management functions and activities including roles such as Chief Information Officer (CIO) or Chief Technology Officer (CTO) and how you might choose to divvy up activities to maintain segregation of duties.

There is even an outline of the types of activities that can be delegated to operations personnel such as database administrators, systems analysis, network administrators, etc.

Section II continues to move forward through Policies, Standards, and Procedures; Internal Audit, Independent Reviews, and Certification Processes; Communication; and Board and Senior Management Reporting.

First Steps, Take Stock and Align with the New Expectations

You likely have much of this outlined in your current policies, procedures, and job descriptions. But now is a good time to take stock and align with the expectations covered in this new booklet. First steps could include:

1. Ensure everyone is aware of their responsibilities.
2. Test against your documented commitments.
3. Communicate with all areas of the organization including Senior Management and the Board.

Remember, the booklets do not impose requirements on financial institutions. They are provided to describe principles and practices an examiner will review as they apply to your individual complexity and risk profile, which can only be determined by you, your management team, and your Board of Directors.

Appendix A, the examination procedures work program, outlines the minimum criteria of documents and items examiners will want to review. Reviewing this section first is a quick and effective way to hit key points of the guidance and prioritize those that need to be addressed.

You will find words like resilient, documentation, management, strategic, and business objective alignment; and confidentiality, integrity, and availability (The CIA Triad), with “risk assessment” at the heart of each component.

What is your plan to ensure you are meeting the new FFIEC IT Handbook expectations?