CFPB Announces FFIEC’s Information Technology Examination Privacy and Cybersecurity Handbook for Financial Institutions on “Architecture, Infrastructure, and Operations” 

Today, the CFPB Announced that the Federal Financial Institutions Examination Council (“FFIEC”) issued a new booklet in the FFIEC Information Technology Examination Handbook series, titled “Architecture, Infrastructure, and Operations.”  The CFPB noted that the booklet provides expanded guidance to help financial institution examiners assess the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations.  Implied in the CFPB’s announcement of its companion agency’s privacy and cybersecurity Handbook suggests a measure of focus by the CFPB on financial institutions’ privacy and cybersecurity operations.   According to the FFIEC,

The “Architecture, Infrastructure, and Operations” booklet is one in a series of booklets that compose the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook). The IT Handbook is prepared for use by examiners. With the publication of this booklet, the FFIEC member agencies replace the “Operations” booklet issued in July 2004. The title change reflects the overall importance of an entity’s architecture, infrastructure, and operations (AIO). For IT Handbook purposes, the term “entities” includes depository financial institutions,  nonbank financial institutions, bank holding companies, and third-party service providers.  This booklet discusses enterprise-wide, process-oriented approaches that relate to the design of technology within the overall business structure, implementation of IT infrastructure components, and delivery of services and value for customers. It discusses the following:  Principles and practices for IT and operations as they relate to safety and soundness, consumer financial protection, and compliance with applicable laws and regulations. Processes for addressing risk related to the design and implementation of IT systems. Principles to help examiners evaluate the delivery of financial products and services.  Management oversight of AIO and its related components, including governance; common risk management topics; specific activities of AIO; and evolving technologies that examiners may encounter during their reviews.  This booklet does not impose requirements on entities. Instead, this booklet describes principles and practices that examiners review to assess an entity’s AIO functions. Appendix A of this booklet provides objectives-based examination procedures. The application of the principles and related examination procedures may vary according to an entity’s complexity and risk profile.

    *     *    *    *

The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote uniformity in the supervision of financial institutions. To encourage the application of uniform examination principles and standards by the state and federal supervisory authorities, the Council established, in accordance with the requirement of the statute, the State Liaison Committee composed of five representatives of state supervisory agencies. In accordance with the Financial Services Regulatory Relief Act of 2006, a representative state regulator was added as a voting member of the Council in October 2006.  The Council is responsible for developing uniform reporting systems for federally supervised financial institutions, their holding companies, and the nonfinancial institution subsidiaries of those institutions and holding companies. It conducts schools for examiners employed by the five federal member agencies represented on the Council and makes those schools available to employees of state agencies that supervise financial institutions.  The Council was given additional statutory responsibilities by section 340 of the Housing and Community Development Act of 1980 to facilitate public access to data that depository institutions must disclose under the Home Mortgage Disclosure Act of 1975 (HMDA) and the aggregation of annual HMDA data, by census tract, for each metropolitan statistical area (MSA).

A copy of the Handbook can be found here:  https://ithandbook.ffiec.gov/media/402799/ffiec_itbooklet_aio.pdf