FFIEC Compliance: What You Should Know in Terms of Business Continuity

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) updated its BCP IT Handbook. The guide is now known as BCM (Business Continuity Management) rather than its previous name, BCP (Business Continuity Planning). This is the first substantial upgrade since 2015, and many local banks and credit unions may be asking what this implies for them now, and what improvements they’ll need to make in the future to stay compliant.



Local banks and credit unions must reconsider their framework for business continuity and be willing to make necessary plan adjustments, up to and including a total overhaul, according to the new recommendations. A few essential points to remember are listed below.



What is FFIEC Compliance?


The FFIEC is a federal agency that regulates financial institutions. It’s made up of five federal entities. Members of this group include:


—–Board of Governors of the Federal Reserve System

—–National Credit Union Administration

—–Federal Deposit Insurance Corporation

—–Office of Thrift Supervision

—–Office of the Comptroller of the Currency

—–State Liaison Committee


They collaborate to develop common standards, policies, and reporting forms across all financial institutions. This standardization ensures that all financial institutions are subjected to the same guidelines. As cyber dangers to the financial industry continue to grow, rules have been changed to address the need for effective cybersecurity.



The FFIEC Business Continuity Management

The business continuity plan is now a component of the larger BCM process, with the term changed from business continuity planning to business continuity management, one wherein a financial institution must plan ahead of time for resiliency and recovery from unfavorable circumstances. The BCM lays a strong emphasis on resilience.



Resilience is the ability to anticipate—and adapt—to changing circumstances, as well as to endure and recover quickly from disruptions, whether they are intentional attacks, disasters, or naturally occurring risks or incidents. The FFIEC has switched its focus from recovery to resiliency, while conventional BCP has been more centered on recovery.



The FFIEC wants local banks and credit unions to take an enterprise-wide, process-oriented perspective to business continuity, which means they should focus on overall operational resilience rather than just planning to recover. The main objective is for financial institutions to become more proactive, avoiding or reducing the need for traditional recovery procedures in the future.



How to be FFIEC Compliant

The FFIEC provides laws that address 11 subjects that your financial institution deals with in its day-to-day operations. You may put consistent processes in place as a federally regulated financial institution without obtaining fines or other sanctions if you grasp all of these areas.



—–Business Continuity Management: How prepared is your company for natural hazards, equipment failure, cyberattacks, and other incidents that jeopardize business continuity? To get things up to speed quickly, you’ll need solid business continuity management in place, as well as the required supporting infrastructure.

—–Development and Acquisition: Are you aware of the dangers associated with business development and acquisition? A badly managed acquisition could lead to a slew of problems with standardization and cybersecurity.

—–Electronic Banking: Consumers want their financial institutions to provide electronic banking services, thus your company must keep this process safe and protected to reduce the danger of financial data theft.

—–Information Security: Do your cybersecurity procedures meet the types of threats that financial institutions are vulnerable to? Cybercriminals work in a constantly changing environment, which means your security must evolve as well.

—–IT Audit: What kind of auditing techniques and procedures does your financial institution have in place? Continuous review is necessary to improve your operations and guarantee that you comply with all applicable requirements. In five years, the cyber threat landscape may look very different.

—–IT Management: Your present IT governance rules should be geared at achieving the regulatory criteria that your type of financial institution is required to meet.

—–Operations: Risk management and reduction are critical practices to have in place so that you can respond to cybersecurity threats and other hazards in a proactive manner.

—–Outsourcing Technology Services: When it comes to precise guidelines and cybersecurity, do your outsourcing partners adhere to the same guidelines as your financial institution?

—–Retail Payment System: Recognize the dangers that exist in a retail payment environment, including the absence of physical security.

—–Supervision of Technology Service Providers: You should monitor any external service providers you’re working with and follow the proposed guidelines when selecting these partners.

—–Wholesale Payment Systems: Because these systems handle payments with high value, it’s critical to examine your procedures separately for this sort of system.

Have Questions?

Want to find out more about how Resilience3™ security, risk, and compliance solutions will improve your business resiliency?