Financial FFIEC/GLBA Compliance

What is the FFIEC?

First established in 1979, the Federal Financial Institutions Examination Council (FFIEC) is an interagency organization within our federal government that is tasked with creating uniform standards, principles and report forms for the federal examination of financial institutions. The agencies that make up the FFIEC are:

-The Board of Governors of the Federal Reserve System (FRB)

-The Federal Deposit Insurance Corporation (FDIC)

-The National Credit Union Association (NCUA)

-The Office of the Comptroller of the Currency (OCC)

-The Consumer Financial Protection Bureau (CFPB)

In addition to these five main agencies, the State Liaison Committee (SLC) has been a voting member in FFIEC matters since 2006, and is comprised of members from:

-The Conference of State Bank Supervisors (CSBS)

-The American Council of State Savings Supervisors (ACSSS)

-The National Association of State Credit Union Supervisors (NASCUS)

What is FFIEC Compliance?

In order for a financial institution to be considered FFIEC Compliant, it must meet a standardized set of technological benchmarks for online banking, first established in October of 2005. Institutions that must be FFIEC compliant also need to perform regular comprehensive evaluations of their internal environment, to identify any potential security weaknesses or possible threats. Becoming FFIEC compliant and remaining compliant will require institutions to implement a comprehensive IT security policy that includes but is not limited to the following protocols:

-Disaster Recovery & Business Continuity

-Secure Software Development & Procurement Practices

-Comprehensive Informational Security Policies & Procedures

-Vendor Management

-Regular Cybersecurity Assessments, Audits & Reviews

 

Who Needs to be FFIEC Compliant?

Financial Institutions that feature online banking must adhere to FFIEC Compliance guidelines. These include:

-State-Chartered Banks that are members of the Federal Reserve System

-Bank Holding Companies

-Thrift Holding Companies

-Foreign Banking Organizations that have:

-Branch Agency

-Commercial Lending Company Subsidiary

-Bank Subsidiaries in the USA

 

What happens if FFIEC Compliance is not met?

Financial institutions that fail to meet FFIEC Compliance guidelines can be subjected to significant fees. While the FFIEC itself cannot issue direct penalties, several of the agencies under its umbrella do have the authority to do so. Initial fines for failure to comply with FFIEC guidelines can reach upwards of 2 million dollars (USD), but if the institution in question is also facing federal prosecution for acting against banking protocols then the fines could be far higher.

What is the GLBA?

The Gramm-Leach-Bliley Act, also known as the GLBA or the Financial Modernization Act, was ratified in 1999 and mandates that all financial institutions ensure the security and privacy of non-public customer information. The law itself is divided into three parts:

  • The Privacy Rule– this rule regulates the gathering and disclosure of private information.
  • The Safeguards Rule– this rule indicates that financial institutions must set safety measures in place to protect this information. This rule also applies to ATM operators, and companies that gather private information from financial institutions, such as credit reporting agencies.
  • The Pretexting Provisions– these prevent the gathering of private information and using it under false pretenses.

In short, banks and financial institutions have to regulate how they gather and handle the private information of their customers by setting safety programs to protect said information, and not using false narratives to gather and use said information.

Who Needs to be GLBA Compliant?

As defined in the bill itself, “financial institutions” include any company that describe themselves as such. This list includes banks, credit unions, payday lenders, mortgage brokers, lenders not affiliated with a bank, personal property and real state appraisers. If your institution deals with loans, collection of debt, or giving financial advice then the GLBA applies to you as well. This applies to all defined financial institutions regardless of their size and is enforced by the Federal Trade Commission (FTC).