The Federal Financial Institutions Examination Council (FFIEC) is an interagency body empowered to establish guidelines and uniform principles and standards for the federal examination of financial institutions. The FFIEC has authored a series of booklets on specific topics of interest to field examiners that prescribe uniform principles and standards for financial institutions.
The FFIEC offers a set of handbooks or booklets to be used by examiners of financial institution IT practices. The handbooks cover many subjects including Audit, Business Continuity Planning (BCP), Information Security, Outsourcing Technology Services, and other topics.
The FFIEC IT Booklets require robust management and tracking of third-party supplier business continuity planning (BCP) and IT security risk. The FFIEC Business Continuity booklet includes an Appendix J addressing the need to strengthen the resilience of outsourced technology services, and the Information Security booklet includes a specific section on Oversight of Third-Party Service Providers.
The goal of the FFIEC IT Examination Handbook is to heighten cybersecurity awareness for the financial industry and stress the importance of accurate cybersecurity assessments, including those for technology service providers. Adhering to these guidelines requires a full set of controls implemented across the supplier organization.
A policy for managing risk should be in place
Relevant due diligence should be applied in choosing third parties
Policy should be codified in supplier agreements
Suppliers should be managed and audited according to the agreed requirements
Align Your TPRM Program with 13 Industry Standards
Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.
Meeting FFIEC TPRM Guidelines
Here's how Prevalent can help you address FFIEC third-party risk management guidelines:
Guidance | How Prevalent Helps |
---|---|
Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services |
|
Third Party Management "Establishing a well-defined relationship with technology service providers (TSPs) is essential to business resilience. A financial institution's third-party management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangement. To ensure business resilience, the program should include outsourced activities that are critical to the financial institution's ongoing operations." |
The Prevalent TPRM platform enables internal control-based assessments (based on industry-standard framework questionnaires and/or custom questionnaires). This selection enables an organization to match the assessment’s requirements to the level of risk presented by the relationship. In addition, the platform includes built-in workflow capabilities that enable assessors to interact efficiently with third parties during the due diligence collection and review periods. |
Third Party Management – Due Diligence "As part of its due diligence, a financial institution should assess the effectiveness of a TSP's business continuity program, with particular emphasis on recovery capabilities and capacity. In addition, an institution should understand the due diligence process the TSP uses for its subcontractors and service providers. Furthermore, the financial institution should review the TSP's BCP program and its alignment with the financial institution's own program, including an evaluation of the TSP's BCP testing strategy and results to ensure they meet the financial institution's requirements and promote resilience." |
Prevalent’s standards-based and custom questionnaires focus on Business Continuity Planning, including impact analysis, operational risk assessment, and business recovery management. The Prevalent Assessment service examines the risk posed by both technology service providers and their subcontractors. |
Third Party Management – Contracts "Right to audit: Agreements should provide for the right of the financial institution or its representatives to audit the TSP and/or to have access to audit reports. A financial institution should review available audit reports addressing TSPs' resiliency capabilities and interdependencies (e.g., subcontractors), BCP testing, and remediation efforts, and assess the impact, if any, on the financial institution's BCP." |
The Prevalent TPRM platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process. |
Third Party Management – Ongoing Monitoring “Effective ongoing monitoring assists the financial institution in ensuring the resilience of outsourced technology services. The financial institution should perform periodic in-depth assessments of the TSP's control environment, including BCP, through the review of service provider business continuity plan testing activities, independent and/or third-party assessments to assess the potential impact on the financial institution's business resilience. The financial institution should ensure that results of such reviews are documented and reported by the TSP to the appropriate management oversight committee or the board of directors and used to determine any necessary changes to the financial institution's BCP and, if warranted, the service provider contract.” |
The Prevalent Third-Party Risk Management platform provides a complete solution for performing assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance. |
Cyber Resilience “Cyber threats will continue to challenge business continuity preparedness. Financial institutions and TSPs should remain aware of emerging cyber threats and scenarios and consider their potential impact to operational resilience. Because the impact of each type of cyber event will vary, preparedness is the key to preventing or mitigating the effects of such an event.” |
The Prevalent Cyber & Business Monitoring service provides both snapshot and continuous vendor monitoring for immediate notification of high-risk issues, prioritization, and remediation recommendations. Data security and business risk monitoring enables you to look beyond tactical vendor health for a more strategic view of a vendor’s overall information security risk. Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks. Examples of business information collected during the analysis include:
|
Information Security Booklet |
|
II.C.20 Oversight of Third-Party Service Providers "Management should verify that third-party service providers implement and maintain controls sufficient to appropriately mitigate risks. The institution's contracts should do the following: Include minimum control and reporting standards |
The Prevalent Assessment service simplifies compliance and reduces risk with automated collection and analysis of vendor surveys using industry standard and custom questionnaires. Bi-directional workflows provide back and forth communication with technology service providers to address findings and remediation efforts. Robust reporting and full audit capabilities streamlines proper performance review. Access to completed assessments and audits can be delegated to auditors via standard RBAC capabilities in the platform. |
Agencies that make up the FFIEC prescribe best practices and for all field examiners conducting audits...
Building a clear set of policies can help propel your organization’s third-party risk management practices and...
Reveal TPRM requirements in 13 regulations and gain best practices for simplifying compliance.