What is the FFIEC?
Established in 1979, the FFIEC, or the Federal Financial Institutions Examination Council, defines itself as “a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions.” Through the combined efforts of “the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB),” recommendations are made to financial institutions, all with the goal of promoting the uniformity of such entities. In addition, the State Liason Committee (SLC), composed of representatives from “the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS),” became a voting member of the council in 2006.
The FFIEC in Practice
Through an integrated effort on the part of all of its participating agencies, the FFIEC devises principles, standards, and reporting methods and is the foremost prescribing body for all financial institutions that are federally regulated. In doing so, the FFIEC provides guidance that empowers such financial institutions “to assess their risk, safeguard customer information, prevent money laundering, and terrorist financing, and overall reduce fraud and identity theft in their portfolios.”
The FFIEC puts forth laws, regulations, and guidance to be applied to audits, business continuity management, e-banking, information security, management, outsourcing technology services, retail payment systems, and wholesale payment systems. Moreover, through training programs that are made available by the FFIEC Examiner Education Office to state regulatory agency employees, the FFIEC instructs “examiners who work for the council’s member agencies.” In order to provide assistance to field examiners, IT Examination Handbooks are published regularly, containing guidance for the assessment of “the quality and effectiveness of IT audit programs of both financial institutions and TSPs [(Thrift Savings Plans)].”
Importance of FFIEC Compliance
All financial institutions, holding companies, and related nonfinancial subsidiaries under federal supervision have a responsibility to comply with FFIEC standards and guidelines. To aid in the assessment of such compliance, the FFIEC developed the Uniform Interagency Consumer Compliance Rating System (CC Rating System). This CC Rating System is designed to “ensure that regulated financial institutions are evaluated in a comprehensive and consistent manner and that supervisory resources are appropriately focused on areas exhibiting risk of consumer harm and on institutions that warrant elevated supervisory attention.” Conducting evaluations on the basis of the principles of transparency, actionability, incent compliance, and risk assessment, the CC Rating System rates institutions on a scale of 1 to 5 for supervisory concern. A rating of 1 “represents the highest rating and consequently the lowest degree of supervisory concern, while 5 represents the lowest rating and the most critically deficient level of performance, and therefore, the highest degree of supervisory concern.”
Organized into three different branches of evaluation, the CC Rating System assesses the following broad categories:
- Board and Management Oversight, or the “assess[ment of] the financial institution’s board of directors and management, as appropriate for their respective roles and responsibilities”.
- Compliance Program, or the assessment of “the degree to which compliance training is current and tailored to risk and staff responsibilities”; “the sufficiency of the monitoring and, if applicable, audit to encompass compliance risks throughout the institution”; “whether the institution’s policies and procedures are appropriate to the risk in the products, services, and activities of the institution”; and “the responsiveness and effectiveness of the consumer complaint resolution process.”
- Violations of Law and Consumer Harm, or the assessment of the dimensions of any identified violation or consumer harm. All found violations or resulting harm is examined on the basis of the “root cause, severity, duration, and pervasiveness.”
In addition to the above, federally supervised financial institutions, holding companies, and associated subsidiaries must comply with numerous guidelines. Brought to fruition through the joint deployment of its five agencies, the FFIEC requires online identity verification and authentication, the completion of yearly risk-based assessments, the identification of high-risk transactions, the implementation of complex security practices — namely multi-factor authentication, the following of an information security program, and an abundance of proper consumer awareness and education. A federally supervised entity’s failure to comply with such guidelines may result in penalties, varying dependent on the severity of non-compliance and the specific entity’s governing board. In addition to corrective measures, failures in compliance may reduce consumer trust and loyalty.