NEW WHITE PAPER: See how Prevalent TPRM Platform capabilities map to specific compliance requirements!

FFIEC IT Examination Handbook Compliance

Complying with FFIEC IT Examination Guidance

Vendor Risk AssessmentThe Federal Financial Institutions Examination Council (FFIEC) is an interagency body empowered to establish guidelines and uniform principles and standards for the federal examination of financial institutions. The FFIEC has authored a series of booklets on specific topics of interest to field examiners that prescribe uniform principles and standards for financial institutions.

FFIEC and Third-Party Risk Management

The FFIEC offers a set of handbooks or booklets to be used by examiners of financial institution IT practices. The handbooks cover many subjects including Audit, Business Continuity Planning (BCP), Information Security, Outsourcing Technology Services, and other topics. 

The FFIEC IT Booklets require robust management and tracking of third-party supplier business continuity planning (BCP) and IT security risk. The FFIEC Business Continuity booklet includes an Appendix J addressing the need to strengthen the resilience of outsourced technology services, and the Information Security booklet includes a specific section on Oversight of Third-Party Service Providers.

The goal of the FFIEC IT Examination Handbook is to heighten cybersecurity awareness for the financial industry and stress the importance of accurate cybersecurity assessments, including those for technology service providers. Adhering to these guidelines requires a full set of controls implemented across the supplier organization. 

Relevant Guidance

The FFIEC IT Booklets specify that:

  • A policy for managing risk should be in place
  • Relevant due diligence should be applied in choosing third parties
  • Policy should be codified in supplier agreements
  • Suppliers should be managed and audited according to the agreed requirements

White Paper: Satisfying Compliance with Third-Party Risk Management Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how the Prevalent Third-Party Risk Management Platform maps to specific mandates enabling you to achieve compliance while mitigating vendor risk. 

Read Now

Meeting FFIEC IT Examination Handbook Guidance for Third-Party Risk Management

Here's how Prevalent can help you address FFIEC third-party risk management guidelines:

Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook

Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services How Prevalent Helps

Third Party Management 

 "Establishing a well-defined relationship with technology service providers (TSPs) is essential to business resilience. A financial institution's third-party management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangement. To ensure business resilience, the program should include outsourced activities that are critical to the financial institution's ongoing operations."

The Prevalent TPRM platform enables internal control-based assessments (based on industry-standard framework questionnaires and/or custom questionnaires). This selection enables an organization to match the assessment’s requirements to the level of risk presented by the relationship.

In addition, the platform includes built-in workflow capabilities that enable assessors to interact efficiently with third parties during the due diligence collection and review periods. 


Third Party Management – Due Diligence 

"As part of its due diligence, a financial institution should assess the effectiveness of a TSP's business continuity program, with particular emphasis on recovery capabilities and capacity. In addition, an institution should understand the due diligence process the TSP uses for its subcontractors and service providers. Furthermore, the financial institution should review the TSP's BCP program and its alignment with the financial institution's own program, including an evaluation of the TSP's BCP testing strategy and results to ensure they meet the financial institution's requirements and promote resilience."


Prevalent’s standards-based and custom questionnaires focus on Business Continuity Planning, including impact analysis, operational risk assessment, and business recovery management. The Prevalent Assessment service examines the risk posed by both technology service providers and their subcontractors. 


Third Party Management – Contracts 

"Right to audit: Agreements should provide for the right of the financial institution or its representatives to audit the TSP and/or to have access to audit reports. A financial institution should review available audit reports addressing TSPs' resiliency capabilities and interdependencies (e.g., subcontractors), BCP testing, and remediation efforts, and assess the impact, if any, on the financial institution's BCP."


The Prevalent TPRM platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.


Third Party Management – Ongoing Monitoring 

Effective ongoing monitoring assists the financial institution in ensuring the resilience of outsourced technology services. The financial institution should perform periodic in-depth assessments of the TSP's control environment, including BCP, through the review of service provider business continuity plan testing activities, independent and/or third-party assessments to assess the potential impact on the financial institution's business resilience. The financial institution should ensure that results of such reviews are documented and reported by the TSP to the appropriate management oversight committee or the board of directors and used to determine any necessary changes to the financial institution's BCP and, if warranted, the service provider contract.”


The Prevalent Third-Party Risk Management platform provides a complete solution for performing assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance.


Cyber Resilience 

“Cyber threats will continue to challenge business continuity preparedness. Financial institutions and TSPs should remain aware of emerging cyber threats and scenarios and consider their potential impact to operational resilience. Because the impact of each type of cyber event will vary, preparedness is the key to preventing or mitigating the effects of such an event.”


The Prevalent Cyber & Business Monitoring service provides both snapshot and continuous vendor monitoring for immediate notification of high-risk issues, prioritization, and remediation recommendations. Data security and business risk monitoring enables you to look beyond tactical vendor health for a more strategic view of a vendor’s overall information security risk. 

Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks.

Examples of business information collected during the analysis include:

  • M&A activity
  • Layoffs
  • Lawsuits
  • Data breaches
  • Product recalls
  • Bankruptcy
  • Capital transactions: debt, equity
Information Security Booklet How Prevalent Helps

II.C.20 Oversight of Third-Party Service Providers

"Management should verify that third-party service providers implement and maintain controls sufficient to appropriately mitigate risks. The institution's contracts should do the following:

  • Include minimum control and reporting standards
  • Provide for the right to require changes to standards as external and internal environments change
  • Specify that the institution or an independent auditor has access to the service provider to perform evaluations of the service provider's performance against the Information Security Standards."

The Prevalent Assessment service simplifies compliance and reduces risk with automated collection and analysis of vendor surveys using industry standard and custom questionnaires. Bi-directional workflows provide back and forth communication with technology service providers to address findings and remediation efforts.  Robust reporting and full audit capabilities streamlines proper performance review. Access to completed assessments and audits can be delegated to auditors via standard RBAC capabilities in the platform. 

The Prevalent Difference

The Prevalent Third-Party Risk Management Platform provides a complete framework for managing the risk posed by third-party suppliers. Automated vendor assessments, continuous threat monitoring, assessment workflow, remediation management, and audit and compliance reporting is easily accommodated from a single repository of vendor risks.