Regulatory requirements are a key operational concern that we hear about from our financial customers. As a key provider of technology for mission-critical financial system infrastructures across the globe, Cisco is held to the highest levels of scrutiny in the financial services regulatory audit chain. We have helped customers navigate the complex requirements and landscape to help keep them protected, when 100% of their business, relies on our equipment in the value chain.

A key challenge is managing iterations of infrastructure in global financial enterprises which have spanned 50+ years of digitization. These systems are continually being updated with newer and better ones; however, it takes a long time to sunset the legacy technology.  This leads to many generations of installed technology sets with diverse hardware and software systems, all that need to be tracked and managed, secured, and audited. Regular external examination is a necessary challenge to ensure hygiene of these systems are maintained amidst a backdrop of increasing cyber risk.

Streamlining the IT audit process

The Federal Financial Institutions Examination Council—or better known as the FFIEC—is a formal U.S. government interagency body charged with helping streamline the audit process. A number of our financial institution customers are regulated by multiple, and different, regulatory bodies. In the U.S. a few agencies include the Federal Reserve (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller (OCC), and the Consumer Financial Protection Bureau (CFPB). Without consistency, if every agency had their own examination criteria for assessment it would be exceptionally difficult for financial institutions to get work done.

FFIEC - provides uniform, interagency principles for the audit of financial institutions
To help streamline audit, the FFIEC as an interagency body, creates uniform principles, standards, and report forms for federal examinations of financial institutions. Having a consistent set of audit criteria and forms, a financial institution can have one audit that satisfies numerous federal regulatory agencies and keeps it a level regulatory playing field. The FFIEC’s scope is much broader than simply the IT aspects of digital financials, as it includes credit markets, fraud, BSA/AML, liquidity, and other areas of interest for regulatory bodies.

IT Governance in Financial Services

Over the next few weeks and months we’ll be contributing blogs that will focus on the FFIEC’s requirements in the information technology space, covering the below distinct areas:

  • The Cybersecurity Maturity Assessment and how to use it
  • The 2021 Updates in the Architecture, Infrastructure, and Operations book
    • Hardware and Software Lifecycles
    • Common Risk Management Topics: Architecture, Data, IT
    • Infrastructure Management
    • Operations and Operational Processes
  • Cisco tools that can satisfy regulatory governance requirements

The goal for this series of blogs is to help the IT teams of financial institutions be aware of the regulatory concepts dealt with further upstream in an organization, and to promote tools that simplify the hardening of systems and streamlining audits.


William Nellis

Business Transformation Systems Engineer