Cygilant Blog
How Cygilant Helps Mitigate Risk and Improve Security and Compliance Posture

What Happens if I Fail to Meet FFIEC Guidelines?

Posted by Andrew Igel on Dec 4, 2018

Financial institutions face approximately 85 serious cyber attacks each year. Of these attacks, one-third succeed. While this may not seem like a large number, consider that these threats put people's money at risk each time.

Threats led to the introduction of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC has created security guidelines since 1979. Security risks have changed and increased since the establishment of the guidelines.

That's why the FFIEC examination handbook gets updated regularly. These updates keep up with new risks and changing technology.

These FFIEC guidelines and audits may seem like a chore for financial institutions. They're for your benefit, though. Meeting the guidelines means you're striving to protect your institution's reputation and your customers’ information.

If you have an FFIEC audit coming up, you may wonder what happens if you fail to meet the FFIEC guidelines. The FFIEC auditor only reports non-compliance.

Having a report of non-compliance does not protect you from further penalties though. Other governing bodies can penalize you for not complying with regulations.

What are those penalties? Penalties will depend on the laws and regulations broken with non-compliance.

What Is FFIEC?

To understand the penalties involved, you need to understand what the FFIEC does. The FFIEC is an examination board that creates guidelines for cybersecurity standards. Laws and regulations from the major financial boards influence these guidelines.

This FFIEC board includes several financial regulatory boards, including:

  • The Board of Governors of the Federal Reserve (FRB)
  • The Federal Deposit Insurance Corporation (FDIC)
  • The Office of the Comptroller of the Currency (OCC)
  • The National Credit Union Administration (NCUA)

These boards create regulations and laws that govern different financial institutions. These regulations protect both the financial institutions and the people using them. The FFIEC uses these regulations to make auditing guidelines to keep financial information safe.

Why Is FFIEC Compliance Important?

Financial institutions face new and more dangerous cybersecurity threats each year. Banks and credit unions are obvious targets for hackers. The appeal to hackers is because the information they can steal is valuable. Hackers can use stolen information for ill-gotten gains, or sell it on the black market for a good price.

The FFIEC guidelines address the security threats by implementing measurement criteria. These measurements identify and provide protection against the biggest security threats. These measurements include:

  • Security monitoring, with SIEM systems, to identify security issues
  • Vulnerability management to watch for potential threats
  • Patch management to keep systems updated

The FFIEC IT Handbook provides definitions and regulations for compliance. By complying, institutions strengthen their information security, creating trust with their customers.

Understanding Compliance Requirements and How Cygilant Can Help

Consequences of Failing to Meet FFIEC Guidelines

An auditor can only make notes if they find you're not in compliance. Those notes will make their way to the appropriate boards for further review.

Remember, the FFIEC guidelines are based on regulations from the different regulatory boards. These boards have authority to act. They may place penalties on institutions that fail to comply with these laws.

Each board involved is in charge of specific institutions. The penalties will depend on several factors, including which board governs your institution and the severity of the non-compliance.

NCUA Penalties

The NCUA governs credit unions and other credit institutions. There are three possible penalties for failure to comply with FFIEC guidelines.

The NCUA may issue a cease & desist order. This order requires the institution to take specific actions to correct the security threats. These actions may include paying restitution to those put at risk by the security threat.

Fines are another possibility. These fines are at the discretion of the NCUA and are based on the severity of the risk. Other fees may be required if you have to appear before the board.

Continued non-compliance can lead to a prohibition order. This could put your institution out of business. These prohibition orders also affect individuals that don't comply.

The NCUA can prohibit individuals. This may stop them from working for other financial institutions in the future.

FRC and OCC Penalties

The FRC and OCC boards regulate banks and savings institutions. Failure to comply with FFIEC guidelines for these institutions have their consequences. These consequences are similar to the penalties put in place by the NCUA:

  • Cease & desist and restitution orders
  • Fines and court fees
  • Prohibition orders

The cease and desists orders for these governing boards are different than NCUA. There are different levels involved in these orders.

A notice filed gives the institution a chance to defend themselves. Formal agreements are an agreement between the financial institution and the regulatory board. They verify the institution will follow through with corrective measures.

There are also corrective action directives. These require compliance with restitution and other corrective measures. These directives will depend on the institution involved.

FDIC Penalties

The FDIC is an ensuring body that provides up to $250,000 in insurance for banks against loss. Because they ensure the financial institutions, they require their standards for security. Failure to comply with these guidelines can lead to similar actions as the others.

The FDIC can require corrective actions and further investigation regarding non-compliance. The FDIC can also remove insurance coverage. Banks that fail to comply with regulations or corrective actions may lose out. 

Without this financial backing, it would be difficult for banks to continue offering services. This could put the bank out of business.

Other Consequences for Non-Compliance

Corrective action isn't the only concern with failing to comply with FFIEC guidelines. The reputation of your financial institution is also at risk.

If your institution has a security breach, customers may lose trust in your institution. If security threats continue, customers will look for a more reliable institution. 

It's important that customers trust you to protect their information. Continued threats or public orders against your institution removes that trust and can put you out of business.

Ensuring Compliance with FFIEC Guidelines

The best way to ensure compliance with FFIEC guidelines is to implement a dedicated security monitoring system. This system will check for threats and update systems for compliance. For more information about using security monitoring systems, check out the services we offer.


Tags: Security Monitoring

Most Recent Posts

Subscribe to the Cygilant Newsletter