Third Party Risk Management

FFIEC Examiner Updates

Executive Summary: OCC Docket ID OCC-2021-0011

On June 30th, 2021, FFIEC issued new guidance to their examiners, this is the first update to examiner guidance since July 2004. While there are no new requirements for financial institutions, the evidence that examiners may request, and review has been updated.  Below is an executive summary prepared by Fortrex Technologies.

Architecture, Infrastructure, and Operations booklet (AIO)

The booklet does not impose requirements on entities. Instead, this booklet describes principles and practices that examiners review to assess an entity’s AIO functions.

With the publication of this booklet, the FFIEC member agencies replace the “Operations” booklet issued in July 2004. The title change reflects the overall importance of an entity’s architecture, infrastructure, and operations (AIO). For IT Handbook purposes, the term “entities” includes depository financial institutions nonbank financial institutions, bank holding companies, and third-party service providers.

  • Explains how architecture, infrastructure, and operations are separate, but related, functions that, together, assist management in overseeing an entity’s activities related to designing, building, and managing the entity’s technology.
  • Discusses how appropriate governance of the architecture, infrastructure, and operations functions and related activities can
        • promote risk identification across banks, as well as nonbank financial institutions, bank holding companies, and third-party service providers.
        • support implementation of effective risk management.
        • assist management through the regular assessment of the entity’s strategies and plans.
        • promote alignment and integration between the functions.

 

Management should implement a process, such as a life cycle approach, to continuously manage technology to support operational needs and mitigate AIO-related risks (Introduction)

To address risks, management should employ effective governance that includes the following
Delineation of board and senior management responsibilities Strategic planning Enterprise risk management (ERM) Delineation of other roles and responsibilities
Policies, standards, and procedures Internal audit, independent reviews, and certifications Communications Board and senior management reporting

 

Board and Senior Management Responsibilities Action Summary (p 4)

The board is responsible for overseeing, and senior management is responsible for implementing and maintaining, a safe and sound operating environment that supports the entity’s goals and objectives and complies with applicable laws and regulations. Management should establish responsibility and accountability for the administration of the day-to-day functions of the IT environment.

Examiners should review for the following
Board regularly receives reports on AIO functions and activities from management Discussions regarding AIO with the board are captured in meeting minutes Tracking mechanisms and processes are in place to monitor issues related to AIO to their resolution.

 

Internal Audit, Independent Reviews, and Certification Processes Action Summary (p 12)

The board and senior management should engage internal audit or other independent personnel or third parties to review AIO functions and activities and validate effectiveness of controls. Effective AIO auditing assists the board and senior management with oversight, helps verify compliance with applicable laws and regulations, and helps ensure adherence to contractual agreements and entity policies, standards, and procedures to mitigate risks.

Examiners should review for the following
Independence of AIO-related audits or other reviews. Appropriate scope and detail of AIO-related audits or other reviews Applicable reporting of the AIO-related audit results to the board
Evaluation of third-party service providers’ AIO-related audit or review reports Qualifications of auditors reviewing AIO functions and activities

 

Data Governance and Data Management Action Summary (p 15)

Management should promote a culture that takes a data-centric approach for AIO functions and define responsibility and controls as part of data governance and data management processes.

Examiners should review for the following
Data identification and classification processes Data management controls for safeguarding data in physical and digital form Effectiveness of processes for monitoring new and existing databases, noncompliant or misconfigured databases, and changes to the databases
Effectiveness of processes for securing databases, analytics tools, and reports Processes for controlling non-masked data in non-production environments Processes for patching databases and monitoring whether the patch level of the production database is up to date

 

IT Asset Management Action Summary (p 22)

Management should have appropriate ITAM processes to track, manage, and report on the entity’s information and technology assets.

Examiners should review for the following
Policies, standards, and procedures Technology asset inventories. o Hardware inventory, including telecommunications. o Software inventory Processes to address IT asset EOL Processes to prevent and detect unknown or unapproved technology (called shadow IT)

 

ARCHITECTURE Action Summary (p 43)

Management should design, apply, and align its IT architecture to meet the strategic and business objectives of the enterprise. The architecture plan should meet the entity’s needs for confidentiality, integrity, and availability to minimize operational and reputational risks resulting from poorly designed systems.

Examiners should review for the following
Identification of the entity’s information and technology assets Assessment of future enterprise IT needs Documentation of the architecture plan, including policies, standards, and procedures
Development of appropriate design objectives, including changes, EOL, and identification of shadow IT Design of IT architecture (e.g., in-house, virtualization and cloud, or hybrid) Documentation of EA elements

 

INFRASTRUCTURE Action Summary (p 54)

Management should implement an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity’s business objectives. Management should develop, document, and implement infrastructure control policies, standards, and procedures to safeguard facilities, technology, data, and personnel. IT infrastructure implementation practices should include redundancy and resilience for physical infrastructure elements and related products, services, and telecommunications.

Examiners should review for the following
Processes to identify, track, and monitor infrastructure components Contractual arrangements addressing infrastructure, if applicable Sufficient resources with infrastructure knowledge, skills, and expertise Network configuration management and change control processes Security and monitoring processes to analyze data traffic and detect anomalous activity
Software planning to address: o Scalability, interoperability, and portability. o Adequate software controls. o Use of and controls over open source software • Mainframe controls, if applicable, to address unique risks associated with mainframes Security controls for the use of application programming interfaces (API). Environmental and physical access controls

 

Operational Controls Action Summary (p 74)

Management should develop and implement operational controls to safeguard the entity’s operational environment. These controls should be designed to protect the overall environment, including the physical facilities, infrastructure supporting the entity’s operations, systems and software, and personnel.

Examiners should review for the following
Effective controls over the entity’s operating centers, including physical and logical controls Defined and appropriately administered authorization boundaries containing the entity’s systems, software, and information IAM methods used to appropriately identify and authenticate authorized users
Personnel controls (e.g., hiring and retention practices, maintaining appropriate skillsets and knowledge, and activity monitoring processes) to maintain an effective workforce Controls allowing for the use of personally owned devices

 

IT Operational Processes Action Summary (p 76)

Management should implement effective IT operational processes to reduce the number of potential operational failures and minimize the impact of issues that occur. Management should evaluate the effectiveness of those IT operational processes and adjust them as needed.

Examiners should review for the following
Appropriate preventive maintenance or operational restoration processes for equipment within the facilities that support the entity’s business objectives Configuration management processes Effective vulnerability and patch management processes Backup and replication processes that facilitate recovery
• Scheduling processes to manage and effectively use IT resources (e.g., hardware and processing time). Capacity management processes that support the entity’s current and future strategic objectives Log management processes that allow management to capture system, software, and physical access activities Processes for the appropriate disposal of data and media

 

Service and Support Processes Action Summary (p 84)

Management should develop and implement service and support processes. These processes should be designed to support an entity’s strategic goals and objectives by preventing issues, ensuring continuous reliability and resilience, and supporting users (e.g., business lines, personnel, and customers).

Examiners should review for the following
Effective planning processes for service management that consider services offered, SLAs and contractual provisions, known limitations, and metrics and measurements Communication processes with business line management Operational support processes, controls, and mechanisms to report transmission and processing errors
Processes to document and track issues through resolution Documented event, incident, and problem management processes

 

Ongoing Monitoring and Evaluation Processes Action Summary (p 88)

Management should develop processes to oversee operations functions, evaluate the effectiveness of controls, and identify opportunities for improvement.

Examiners should review for the following
• Implementation of processes to monitor and report on control effectiveness Stakeholder input into the types of reports and metrics produced Defined objectives for IT, operations, and key performance indicators (KPI KPIs that align with the entity’s ERM processes
Processes for reporting KPIs to the board Implementation of corrective action plans when KPIs do not meet established targets Processes to recommend changes in operations processes and controls Strategies for service and process improvement and methods to measure the results of those improvement efforts

 

Examination Procedures & Workbook (p 104)

 

Handbook and supporting FFIEC documents available via below link.

https://ithandbook.ffiec.gov/it-booklets/architecture,-infrastructure,-and-operations.aspx