FFIEC Compliance Assessments

The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that provides standardized information technology guidelines for financial institutions. These institutions must meet established guidelines for several key areas of IT governance and risk management.  Some of these areas include , Business Continuity Planning, Development and Acquisition, IT Security, IT Audit, IT Management, Operations, Retail Payment Systems to name but a few.

To maintain compliance, financial institutions are required to implement preventive controls (to protect against unauthorized access); detective controls (to identify abnormal activity); and corrective controls (to address previously identified vulnerabilities). These efforts can help protect the confidentiality, integrity, and availability of secure financial information.

360 Advanced FFIEC services

Our FFIEC Compliance Services

At 360 Advanced, we can help you meet your FFIEC compliance requirements. Our team has extensive experience in the financial services industry, offering:

FFIEC Gap Assessments

A gap assessment can help you evaluate your controls as they relate to FFIEC requirements. If our auditors identify areas of non-compliance, we will provide a formal report to help you document and prioritize a remediation plan. Failure to implement appropriate controls may expose the institution to potential loss from fines, penalties, and customer litigation.

FFIEC Compliance Assessments

Our FFIEC compliance assessments can help you determine the quality and effectiveness of your information security program. These assessments cover:

  • Culture
  • Governance
  • Security operations
  • Assurance processes
  • Other aspects of your information security program

Additionally, we will evaluate your controls for conformance with contracts; conformance with regulatory policies and guidance; and indicators of legal liability. These examination procedures (commonly referred to as the work program) are intended to help determine the effectiveness of your information security process.

At the end of the engagement, you will receive a formal FFIEC IT compliance report that you can share with customers, stakeholders, and governing bodies.

FFIEC Risk Assessments

The FFIEC requires financial institutions to complete routine risk assessments. Our team can help you assess:

  • New vulnerabilities in your legacy technologies
  • New systems that you have recently added to your IT environment
  • New or planned changes to your business (such as the selection of a new vendor; the launch of a new mobile banking application; or an upcoming merger or acquisition)

As new risks are identified, we can help you determine the potential impact on your organization, ranking each from least inherent risk to most inherent risk. This can help your leadership team develop more effective risk management strategies for your environment.

Preparing for an FFIEC Assessment

New to FFIEC compliance? Learn more about the Federal Financial Institutions Examination Council’s standards and regulations:

Who Needs to be FFIEC Compliant?

All federally supervised financial institutions – along with their holding organizations and subsidiaries – are required to comply with FFIEC regulations. Regulatory bodies can issue fines of up to $2 million for non-compliance.

While third-party service providers are not required to use the FFIEC framework, many choose to meet FFIEC standards if their customer base includes financial institutions. Because financial institutions are required to do due diligence on their vendors, voluntary proof of compliance can help third-party vendors provide additional assurance regarding their products and services.

Control Requirements

The FFIEC does not prescribe specific requirements for the implementation of privacy and security controls. For instance, instead of mandating specific password requirements, the FFIEC handbooks provide general recommendations for ensuring an appropriate level of password selection and complexity. This allows you to design and implement controls that reflect your organization’s unique needs.

Board and Management Responsibility

FFIEC compliance is not solely based on the implementation of physical, administrative, or technical controls. The council notes that “Information security programs should have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” Management is required to “continually review the institution’s security posture and react appropriately in the face of rapidly changing threats, technologies, and business conditions.”

Cybersecurity Preparedness

While cybersecurity is not the sole focus of FFIEC regulations, the council does note that “because of the frequency and severity of cyber-attacks, the institution should place an increasing focus on cybersecurity controls, a key component of information security.”

To help financial institutions improve their approach to cybersecurity, the FFIEC developed a Cybersecurity Assessment Tool based on the National Institutes for Standards and Technology’s Cybersecurity Framework. This tool helps organizations audit their efforts across a variety of domains, such as risk management, audit function, resources, training, culture, threat intelligence, endpoint security, coding, and event detection. It is completely voluntary to use this tool; however, it provides a measurable and repeatable process for IT risk assessments and cybersecurity preparedness.

Outsourcing and Due Diligence

Many financial institutions outsource some (or all) of their IT functions, opening them up to additional risks. As a result, financial institutions are required to confirm that each vendor’s third-party service providers (such as cloud computing vendors and data centers) meet FFIEC security standards. Learn more about FFIEC outsourcing requirements.


HITRUST® is a risk management framework that consolidates a variety of compliance initiatives, from federal regulations to industry-specific privacy and security laws.

Introduced in 2017, HITRUST CSF V.9 incorporates Federal Financial Institutions Examination Council information security requirements. Organizations can become certified across several standards at the same time, making it easier to meet a range of compliance goals.


Prev Arrow
Next Arrow

Begin your FFIEC
Assessment today!

Facing compliance, cybersecurity, or privacy challenges? We’re here for you. Fill out the contact form, and within 24 hours, our team will provide the expert guidance you need.

360 Cyber Resources

Explore a wealth of knowledge in our client stories, insightful blogs, cutting-edge white papers, and the latest press releases—your gateway to a repository of expertise and industry insights.