Using FFIEC Examination Handbooks to Prepare for a Third-Party Risk Audit

Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the FFIEC IT Examination Handbook as a mechanism to prepare for a third-party-related audit. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.

The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body in the US empowered to establish guidelines and uniform principles and standards for the federal examination of financial institutions by five member agencies, including:

• Board of Governors of the Federal Reserve System (FRB)
• Federal Deposit Insurance Corporation (FDIC)
• National Credit Union Administration (NCUA)
• Office of the Comptroller of the Currency (OCC)
• Consumer Financial Protection Bureau (CFPB)

The FFIEC has created a set of handbooks or booklets to be used by examiners looking at an institution’s IT practices, and as such, provide guidelines for those practices. Of interest for many institutions is the guidance they provide on how to manage the risk associate with third-party providers. The Business Continuity booklet includes Appendix J, addressing the need to strengthen the resilience of outsourced technology services. The Information Security booklet includes a specific section on Oversight of Third-Party Service Providers.

These IT Booklets require robust management and tracking of third-party supplier business continuity planning (BCP) and IT security risk. They specify that a policy for managing risk should be in place, relevant due diligence should be applied in choosing third parties, and that policy should be codified in supplier agreements. Additionally, suppliers should be managed and audited according to the agreed requirements.

Meeting FFIEC Third-Party Guidance Using the Prevalent Platform

Prevalent can help address the third-party requirements recommended in both the Business Continuity booklet Appendix J, and the Information Security booklet Oversight of Third-Party Service Providers section.

To address FFIEC recommendations, Prevalent:

• Enables internal control-based assessments (based on industry-standard framework or custom questionnaires) to match requirements to the level of risk presented by the relationship per the recommendations in BCP booklet, Appendix J to establish a well-defined relationship with technology service providers (TSPs) for business resilience.
• Focuses questions on Business Continuity Planning, including impact analysis, operational risk assessment, and business recovery management per the recommendations in the Due Diligence section of BCP booklet, Appendix J. Prevalent examines the risk posed by both technology service providers and their subcontractors.
• Provides reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management to support recommendations in the Contracts section of BCP booklet, Appendix J.
• Provides a complete solution for performing assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance to address the Ongoing Monitoring section of BCP booklet, Appendix J.
• Provides both snapshot and continuous vendor monitoring for immediate notification of high-risk issues, prioritization, and remediation recommendations to address the Cyber Resilience section of BCP booklet, Appendix J.
• Automates collection and analysis of vendor surveys using industry standard and custom questionnaires, bi-directional workflows, and robust reporting and full audit capabilities to verify that third-party service providers implement and maintain controls sufficient to appropriately mitigate risks according to the Information Security Booklet, II.C.20 Oversight of Third-Party Service Providers.

Next Steps

Even though not required by statute, FFIEC provides sound guidance to financial organizations facing a third-party risk management audit. Prevalent helps organizations address these FFIEC IT Handbook recommendations with the framework to identify, measure, monitor, and mitigate the risks associated with outsourcing. Contact us today for a demo to see how.

Our Series Continues …

Next week’s blog examines the ISO Standards for Information Security.