FFIEC IT Examination Handbook

The Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook is a multi-volume guidance document used by the Federal Reserve, OCC, FDIC, NCUA, and CFPB examiners when assessing financial institutions' information technology and cybersecurity risk management. The handbook consists of multiple booklets: the Architecture, Infrastructure and Operations (AIO) booklet, the Business Continuity Management (BCM) booklet, the Cybersecurity booklet (supplemented by the FFIEC Cybersecurity Assessment Tool, CAT), the Development and Acquisition booklet, the Management booklet, the Retail Payment Systems booklet, the Wholesale Payment Systems booklet, and the Supervision of Technology Service Providers (TSP) booklet. The FFIEC CAT (Cybersecurity Assessment Tool), while voluntary, has become a de facto examination baseline — it maps cybersecurity controls to NIST CSF domains and uses a maturity rating system that examiners reference during cybersecurity-focused reviews.

The engineering implications of FFIEC examination standards are most acute during safety and soundness examinations and technology-specific target examinations. The AIO booklet establishes examiner expectations for IT governance (board-level risk appetite, IT steering committees), architecture documentation (enterprise architecture programs, technology roadmaps), change management (SDLC controls, release management), and operations (capacity planning, performance monitoring, incident management). The BCM booklet's recovery time objective (RTO) and recovery point objective (RPO) standards are grounded in business impact analysis — examiners expect banks to demonstrate that their RTOs are achievable through tested DR procedures, not just documented aspirations. A common examination finding: banks with documented RTOs of 4 hours but untested failover infrastructure that actually requires 24+ hours to recover. The Development and Acquisition booklet creates specific software development standards including penetration testing, code review, and vulnerability management requirements.

The FFIEC's Technology Service Provider (TSP) supervision framework creates obligations for both banks and their cloud/technology vendors. Banks remain responsible for the activities of their TSPs, and examiners assess third-party risk management programs including vendor due diligence, contract requirements, and ongoing monitoring. The FFIEC issued a joint statement on cloud computing risk (2020) clarifying that bank responsibilities for security and resilience do not transfer to cloud providers — the shared responsibility model must be explicitly mapped in risk assessments. For fintech banks and de novo charters, FFIEC examination expectations for IT governance at early operational stages are lower than for established institutions, but examiners nonetheless assess whether the bank has a credible path to meeting full expectations. The OCC's Responsible Innovation framework and FDIC's FDiTech program have created specific examination pathways for technology-forward institutions that intersect with FFIEC standards.

We prepare financial institutions for FFIEC IT examinations by conducting pre-examination gap assessments using the FFIEC CAT and handbook booklets as the assessment framework, producing heat maps of control adequacy by domain and generating remediation roadmaps with examination-cycle timing. Our technology governance documentation programs produce board-ready IT risk reports, technology risk appetites, and enterprise architecture artifacts in formats aligned to FFIEC examiner expectations. We build BCM test programs with executable recovery runbooks and documented test evidence that directly addresses RTO achievability requirements.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.