Expanded examiner guidance looks at assessing risk profile, adequacy of financial institution technology

Expanded guidance on assessing the risk profile and adequacy of a financial institution’s technology architecture, infrastructure, and operations for federal examiners is provided in a new booklet issued Wednesday by the umbrella group for federal regulators.

The Federal Financial Institutions Examination Council (FFIEC), which includes all three federal banking regulators, the National Credit Union Administration (NCUA), and the Consumer Financial Protection Bureau (CFPB), said the booklet replaces the “Operations” booklet issued nearly 17 years ago (in July 2004). According to the FFIEC, the booklet provides examiners with “fundamental examination expectations” on architecture and infrastructure planning, governance and risk management, and operations of regulated entities.

The agency said the booklet discusses the “interconnectedness” among a financial institution’s assets, processes, and third-party service providers along with “the principles, processes, potential threats, and examination procedures to help examiners assess whether a financial entity’s management adequately addresses risks and complies with applicable laws and regulations.”

The booklet updates, the exam council said, reflect the “changing technological environment and increasing need for security and resilience, including architectural design, infrastructure implementation, and operation of information technology systems.” They also highlight the importance of providing current information to examiners reviewing an entity’s information management practices pertaining to safety and soundness, consumer protection, and provision of secure and resilient business services to customers, according to the agency.

CFPB release: Financial Regulators Update Examiner Guidance on Financial Institutions’ Information Technology Architecture, Infrastructure, and Operations