All federally supervised financial institutions, credit unions, and banks have to comply with the guidelines that are set out by the Federal Financial Institutions Examination Council (FFIEC). These compliance obligations can be quite onerous and technical, especially as the agency increases its demands for strong cybersecurity protocols. However, the penalties for non-compliance is significant, as the federal government continues to regulate the financial industry with a heavy hand to reduce the risks to consumers of financial mismanagement.
What is the FFIEC?
The FFIEC was created in 1979 as a part of the Financial Institutions Regulatory and Interest Rate Control Act of 1978. The FFIEC is a council that consists of five financial regulators and agencies in the federal government:
- Consumer Finance Protection Bureau (CFPB)
- Federal Deposit Insurance Corporation (FDIC)
- Board of Governors of the Federal Reserve (FRB)
- National Credit Union Administration (NCUA)
- Office of the Comptroller of the Currency (OCC)
The Council also has a State Liaison Committee (SLC) of five members from state-level financial regulatory agencies. Two of these Committee’s members are elected by the FFIEC, while the other three are appointed by the:
- Conference of State Bank Supervisors (CSBS)
- National Association of State Credit Union Supervisors (NASCUS)
- American Council of State Savings Supervisors (ACSSS)
Since 2006, one of the SLC’s members represents it at the FFIEC and has a vote in its operations.
According to the FFIEC, these members help the Council to further its mission of:
- Prescribing “uniform principles, standards, and report forms for the federal examination of financial institutions,”
- Making “recommendations to promote uniformity in the supervision of financial institutions,” and
- Encouraging “the application of uniform examination principles and standards by the state and federal supervisory authorities.”
Regulations pertaining to the FFIEC are published in Chapter XI of Title 12 of the Code of Federal Regulations (CFR).
The FFIEC was given additional oversight responsibility by the Housing and Community Development Act of 1980 to facilitate public access to data about mortgage information that financial institutions had to provide under the Home Mortgage Disclosure Act (HMDA).
The FFIEC’s Compliance Demands are Very Stringent
The standards that the FFIEC is tasked with making uniform apply to all federally supervised banks and financial institutions, as well as their:
- Holding companies, and
- Non-financial subsidiaries of both those holding companies and the financial institution, itself.
These standards are extremely wide reaching and incredibly technical in nature. They are often categorized into eleven groups:
- Business continuity planning
- Development and acquisition
- Electronic banking
- Information security
- Information technology (IT) audit
- IT management
- Outsourcing technology services
- Retail payment systems
- Supervision of technology service providers
- Wholesale payment systems
Details about the compliance requirements are found in the FFIEC’s IT Handbooks.
All covered institutions have to come into compliance in all of these areas. This generally requires three steps:
- Preventive controls, to prevent unauthorized access to sensitive financial information,
- Detective controls, to detect strange and potentially nefarious activity, and
- Corrective controls, to deal with vulnerabilities in the IT infrastructure that have been found.
The FFIEC demands these precautions in order to protect the confidentiality of the financial institution’s consumers, protect their assets from hacks, and reduce risks of cyberattacks in the financial system. It audits financial institutions rigorously to ensure that they are ready for hacks and are capable of repelling them to protect the assets that are being held by the institution.
Cybersecurity is increasingly the number one concern of the FFIEC. As early as 2013, the Council created the Cybersecurity and Critical Infrastructure Working Group. This Group aims to create strong but feasible cybersecurity requirements and compliance obligations for financial institutions to meet. Given this attention to cyberattacks and hacking, it is especially important for financial institutions to take this portion of their compliance obligations seriously.
The Penalties for Noncompliance are Very Steep
While the FFIEC does not have the authority to impose fines and other penalties when it finds noncompliance, it is composed of agencies that do, making its lack of authority a mere matter of semantics. Financial institutions who fail to comply with the guidance issued by the FFIEC will not get penalized by the Council, but instead by the councilmembers that oversee their section of the financial industry: For example, a credit union would get penalized by the NCUA.
Those penalties can be quite steep. They depend on which member of the FFIEC regulates your financial institution.
Generally, the potential penalties of a finding of noncompliance are:
- A cease and desist order, demanding that you take corrective actions and potentially to pay restitution to affected victims
- A fine in the amount that the applicable federal agency thinks is justified, given the risk created by the noncompliance
- A prohibition order, which effectively puts the credit union, bank, or savings institution out of business
However, the FDIC also has the power to revoke its insurance coverage on financial institutions. This makes it nearly impossible for the institution to function.
In many cases, multiple agencies impose penalties for a single instance of noncompliance.
In addition to these legal penalties, financial institutions who are found to not be in compliance with the requirements imposed by the FFIEC will also struggle with the reputational damage that comes with the announcement of the finding. When customers learn that their assets are at risk of cyberattacks because their institution is not in compliance with federal regulations, they are likely to close their accounts and go to competitors.
Several Frequently Asked Questions About Oberheiden P.C. and FFIEC Compliance
Are FFIEC Compliance Obligations Mainly Legal or Technical?
The FFIEC’s guidelines for compliance are both legal and technical, though the technical aspect of full compliance has become more arduous as more and more financial transactions take place online, more data gets stored, and cyberattacks become more common. The level of IT competence that it takes to reach full compliance is very high.
However, without legal guidance, your chosen information technology professionals will be basically blindfolded as they attempt to insulate your financial institution from cyberattacks and legal liability. The FFIEC’s technical and IT requirements contain lots of confusing terminology and terms of art. Sifting through these to deduce what the FFIEC is expecting of your company can be difficult.
Why Should I Hire a Compliance Team for FFIEC Requirements?
Because the costs of not doing this process correctly is steep.
First, the FFIEC regularly conducts audits of the institutions that it regulates. If its auditor finds that your institution is not in compliance with the FFIEC’s requirements, it will forward that information on to the FFIEC member that regulates your company. That regulator will then conduct its own intrusive investigation. If the results of the audit are confirmed or if other problems are found, you could be facing strict demands to take immediate corrective action, a hefty fine, or even a penalty that threatens your institution’s ability to operate.
Second, if news gets out that your institution was not in compliance with FFIEC’s requirements, it can seriously hurt your reputation in the financial field. Customers tend to avoid banks and credit unions that have been shown to not be taking all of the precautions necessary to fight off cyberattacks and secure their accounts. You can end up suffering far more in business lost than it would take to pay for a compliance team to meet the FFIEC’s demands.
Third, if your institution is the victim of a successful cyberattack that exploited weaknesses in your system that fell short of FFIEC regulations, you will suffer both the reputational harm and the exposure to legal liability of noncompliance, plus legal liability to the affected customers whose accounts have been compromised.
Why Doesn’t Oberheiden P.C. Call Itself the Best FFIEC Compliance Law Firm?
Because we think that is something that is better heard from our past clients than from us. Our lawyers are all highly experienced in business litigation and in satisfying compliance requirements, including in the financial industry. These past representations have given them invaluable insight into the steps that are best to take to reach full compliance and to insulate your institution, as well as the steps that are not going to cut it, in the FFIEC’s eyes. That experience and our deep understanding of corporate and financial law, as well as cybersecurity issues, make Oberheiden P.C. a common choice for financial institutions who want to ensure their FFIEC compliance efforts are done the right way.
The Corporate Compliance Lawyers at Oberheiden P.C. Can Help
If your financial institution falls under the jurisdiction of the FFIEC or any of the Council’s member parties, you will have to come into compliance with a host of regulations or face significant penalties. Understanding and then satisfying these obligations is not easy. In many cases, the task of satisfying the legal and technical requirements of the FFIEC proves to be more than a financial institution’s in-house team can handle.
The corporate compliance lawyers at Oberheiden P.C. can help. Contact them online or call them at (888) 680-1745 to schedule an appointment.