Guidance expanded for assessing technology risk, adequacy

(July 2, 2021) Expanded guidance on assessing the risk profile and adequacy of a credit union’s or other financial institution’s technology architecture, infrastructure and operations for federal examiners is provided in a new booklet issued this week by the FFIEC.

The exam council said the booklet replaces the “Operations” booklet issued nearly 17 years ago (in July 2004). According to the FFIEC, the booklet provides examiners with “fundamental examination expectations” on architecture and infrastructure planning, governance and risk management, and operations of regulated entities.

The agency said the booklet discusses the “interconnectedness” among a financial institution’s assets, processes, and third-party service providers along with “the principles, processes, potential threats, and examination procedures to help examiners assess whether a financial entity’s management adequately addresses risks and complies with applicable laws and regulations.”

The booklet updates, the exam council said, reflect the “changing technological environment and increasing need for security and resilience, including architectural design, infrastructure implementation, and operation of information technology systems.” They also highlight the importance of providing current information to examiners reviewing an entity’s information management practices pertaining to safety and soundness, consumer protection, and provision of secure and resilient business services to customers, according to the agency.

CFPB release: Financial Regulators Update Examiner Guidance on Financial Institutions’ Information Technology Architecture, Infrastructure, and Operations