{"id":6421,"date":"2021-12-15T14:00:53","date_gmt":"2021-12-15T14:00:53","guid":{"rendered":"https:\/\/www.trintech.com\/ffiec-compliance-cloud-technology-and-security\/"},"modified":"2023-02-08T15:41:26","modified_gmt":"2023-02-08T15:41:26","slug":"ffiec-compliance-cloud-technology-and-security","status":"publish","type":"post","link":"https:\/\/www.trintech.com\/blog\/ffiec-compliance-cloud-technology-and-security\/","title":{"rendered":"Financial Institution Focus: FFIEC Compliance for Cloud Technology"},"content":{"rendered":"<p>Financial institutions have a distinctive set of requirements when looking at technology. Not only are they looking for efficiency gains through automating back-office activities, but they also need to balance that with the risk of introducing new vendors and processes into the mix.<\/p>\n<p>FIs are held to a higher standard than other industries. To ensure they\u2019re maintaining FFIEC compliance (Federal Financial Institutions Examination Council) with additional rigor, structure, and reporting means that they need extra process layers on top. These types of processes can add friction to the system, slowing things down, creating errors, and unreliable reporting.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-26912\" src=\"https:\/\/www.trintech.com\/wp-content\/uploads\/2023\/01\/FFIEC-Compliance-1-scaled.jpg\" alt=\"Maintaining FFIEC compliance is especially important for financial institutions working in the cloud.\" width=\"722\" height=\"353\"><\/p>\n<h2><strong>Cloud Technology and Security Come with their Own Requirements<\/strong><\/h2>\n<p>As the saying goes, everyone has a boss (or stakeholder). If you\u2019re a bank, mortgage provider, or financial service company, your boss is your customer; for a credit union, your bosses are your members. As a bank or credit union, when you take a deposit from a customer, there is a legal and inherent agreement that you will provide security around that person\u2019s savings.<\/p>\n<p>To safeguard the service you provide, you built systems and processes to ensure there is accurate accounting for all money as it flows through the system and what you said happened, actually happened. When you are introducing new processes it\u2019s important to evaluate how well those fit in the current control environment and that you are meeting the commitments to your stakeholders. We have covered <a href=\"https:\/\/www.trintech.com\/blog\/guide-evaluating-saas-technology-close-software\/\" target=\"_blank\" rel=\"noopener\">how you can evaluate SaaS software<\/a> in another article, but knowing that FIs have a specific set of requirements and regulations to adhere to, it\u2019s important to consider your provider\u2019s understanding of those requirements as well.<\/p>\n<h3><strong>FFIEC Compliance<\/strong><\/h3>\n<p>An FFIEC audit is one of the most important compliance events for North American banks and credit unions. These audits also come with an information technology risk component. There are several domains associated with an FFIEC audit, and mapping provider controls to FFIEC elements helps provide confidence.<\/p>\n<ul>\n<li><strong>Domain 1:<\/strong> Cyber Security Risk Management and Oversight<\/li>\n<li><strong>Domain 2:<\/strong> Threat Intelligence and Collaboration<\/li>\n<li><strong>Domain 3:<\/strong> Cybersecurity Controls<\/li>\n<li><strong>Domain 4:<\/strong> External Dependency Management<\/li>\n<li><strong>Domain 5:<\/strong> Cyber Incident Management and Resilience<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-26911\" src=\"https:\/\/www.trintech.com\/wp-content\/uploads\/2023\/01\/FFIEC-Compliance-2-scaled.jpg\" alt=\"Cloud technology and security audits cover a variety of domains, from risk management to threat intelligence and collaboration.\" width=\"688\" height=\"336\"><\/p>\n<h3><strong>Financial Services \u2013 Information Sharing and Analysis Center (FS-ISAC)<\/strong><\/h3>\n<p>We all learn from those that came before us and by being part of a community. The FS-ISAC community consists of over 16,000 active users across 70 countries who meet to network on cyber threat anticipation, risk mitigation, and response. When you are evaluating solutions, knowing a vendor is plugged into this community can help provide additional comfort in their participation in the most up-to-date security and compliance specific for FIs.<\/p>\n<h3><strong>Risk Questionnaire (Sig Lite, CAIQ)<\/strong><\/h3>\n<p>RFPs and questionnaires are commonplace when evaluating cloud technology and security. When it comes to vendor risk management and compliance, there are two popular questionnaires: the Sig Lite, and the Consensus Assessments Initiative Questionnaire (CAIQ). Both provide a comprehensive look at the vendor\u2019s security posture so you can make the best assessment for your organization and your customers or members.<\/p>\n<h3><strong>SOC 1 (Type II) and SOC 2 (Type II) audits<\/strong><\/h3>\n<p>Last but certainly not least, SOC stands for Service Organization Control (type 1 and 2). SOC reports provide assurance that you have a secure chain with solid financial and security controls in place upstream and downstream. You should insist that your current and prospective providers (and their data center providers) make their SOC 1 and SOC 2 reports available to you.<\/p>\n<h2><strong>The Blueprint for Excellence with FFIEC Compliance<\/strong><\/h2>\n<p>In 2021, Trintech kicked off an effort to apply an FFIEC compliance blueprint to ensure that our information technology controls had clean alignment with the guidance given in the latest FFIEC IT Examination Handbook. Our goal is to ensure excellence in our own environment while helping our financial institution customers attain great outcomes of their own.<\/p>\n<p>We take a customer-centric approach to compliance by extending our controls and audits to meet the needs of our customer\u2019s regulatory compliance needs. Our approach to the financial institution market is an example of where our customer\u2019s desired outcomes have impacted the way we approach compliance.<\/p>\n<p>[cta-content-placement]<\/p>\n<p><strong>Written by:<\/strong> <em>Michael Uram<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Financial institutions have a distinctive set of requirements when looking at technology. Not only are they looking for efficiency gains through automating back-office activities, but they also need to balance that with the risk of introducing new vendors and processes into the mix. FIs are held to a higher standard than other industries. To ensure they\u2019re maintaining FFIEC compliance (Federal Financial Institutions Examination Council) with additional rigor, structure, and reporting means that they need extra process layers on top. These types of processes can add friction to the system, slowing things down, creating errors, and unreliable reporting. Cloud Technology and Security Come with their Own Requirements As the saying goes, &hellip;<\/p>\n","protected":false},"author":23,"featured_media":6425,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false},"categories":[1],"tags":[120,97,128,105,92],"topic":[],"product":[82,238],"class_list":["post-6421","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-adra","tag-cloud-solutions","tag-compliance-and-controls","tag-financial-transformation","tag-risk-management","target-user-chief-financial-officer-cfo","target-user-controller","target-user-information-systems-team-it-teams","content-type-article-thought-leadership","industry-banking-financial-services","product-adra","product-banking"],"acf":[],"lang":"en","translations":{"en":6421},"pll_sync_post":[],"_links":{"self":[{"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/posts\/6421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/comments?post=6421"}],"version-history":[{"count":0,"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/posts\/6421\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/media\/6425"}],"wp:attachment":[{"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/media?parent=6421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/categories?post=6421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/tags?post=6421"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/topic?post=6421"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.trintech.com\/wp-json\/wp\/v2\/product?post=6421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}