Ascendant Design
and Training, LLC


Destiny Through Diligence

By Bridget Manley

Imagine being hired to the sole position exempted from an organization-wide hiring freeze. You might think you're pretty lucky, right?

Now, imagine that the organization is a bank, and its technology infrastructure is so far out of compliance with national standards that the bank is in danger of being shut down. You may not feel so lucky. Yet this is the situation Daniel Patterson faced when he was hired by a national bank in 2008.

Daniel did what any good autodidact does: He hit the books, combing through the federal regulations, and overcoming organizational resistance to bring his bank back from the brink.

It took nearly two years of constant dedication for Daniel to get the bank’s IT operational universe up to an acceptable level for their federal regulators, but upon reaching that level, his organization was able to pass that examination with the second-highest possible rating available to any bank. Examiners met with him personally to congratulate him for doing such a good job in meeting expectations. The following year, the bank would achieve the highest rating of IT operation possible.

So why does compliance matter?

Banks, especially federally chartered banks, otherwise known as national banks, are strictly regulated by governmental departments. The regulations for financial institutions cover every tiny aspect of operation, including but not limited to how electronic, software, and other information systems are to be configured, used, secured, and monitored.

Unfortunately, there often exists a disconnect between the goals of financial institutions and of their government regulators. If you focus on the government's perspective, you will often understand the reasoning behind the regulations. More times than not, regulations exist to protect one group of people or another. Following the established rules is intended to result in a good outcome. In stark contrast, there are a number of people who cannot fathom having their fates determined by what they consider to be uninformed, outside forces.

Compounding that potential for disconnect, all aspects of the banking business, including every policy, procedure, and every action performed by every job title are handled entirely by computerized systems. There is not one action you can take in any modern bank that isn’t authorized and acknowledged by computer entry, including cleaning the offices after hours. In some cases, it is only a secondary consideration for banks to contemporarily have any physical offices at all.

The state of absolute digitization of banks has had a vast effect on the level of expectation placed upon them by regulators. Whatever was not being sharply scrutinized in the times of paper and pencil is now included as being required in the examination for the sake of system documentation and security, if nothing else.

Yet what Daniel was able to find was that all of the thousands of specific expectations upon banks by the government are published in clear, easy to understand language that directly states how things need to be done. Furthermore, those expectations are derived with little or no change from long-standing acknowledged best-practices of every occupational role and subject they happen to cover, especially where Information Technology is concerned.

By following those documents exactly as stated, not taking any liberties, and reducing all possibility for interpretation wherever possible, Daniel came to believe that any bank can avoid all disagreements and misunderstandings with their regulators, while vastly improving their own technical prowess.

That information reference, published by the Federal Financial Institutions Examination Council, is referred to as the FFIEC IT EXAMINATION HANDBOOK, and it is available to the public at See the end of this article for an overview the specific subjects covered.

The fact that the format of the material is educational in its presentation, complete with exercises and worksheets, might lead you realize that the handbook is itself the basis of the test. Anyone coming to that conclusion early should immediately move to the front of the class. This documentation contains the verbatim material being taught to the same federal examiners visiting your bank. The specific questions they will be asking of your professional staff are directly embedded in this material.

Imagine knowing that to pass the mandated examination with a 100% rating, your bank must provide correct answers to every question. This may sound stressful. But the test becomes much more manageable when you realize you already have all of the answers to what amounts to an open-book test.

"It's as easy as that." Daniel says. "Every bank IT department in the United States is advised to study this material in its entirety and implement all of it to the letter. When the next examination comes, the entire bank will thank you for a successful review."

The full contents of the so-called handbook currently span thousands of pages in eleven separate volumes, but all of it is good, practical information that can equally be used as a total system operations handbook in any business that relies entirely on computerization for their daily production.

For anyone considering catching up on virtually all of the accepted standards of modern computer practice in a business environment, packed into a single free publication, the FFIEC IT EXAMINATION HANDBOOK is probably a great place to start. The publication contains useful information in the following categories.

  • Audit. Guidance to examiners and financial institutions on the characteristics of an effective information technology (IT) audit function.

  • Business Continuity Management. Guidance to examiners on the principles of BCM and approaches of business continuity planning and resilience; and examination procedures to help determine the effectiveness of business continuity and resilience.

  • Development And Acquisition. Guidance to examiners to determine whether an institution effectively identifies and controls development and acquisition risks.

  • E-banking. Guidance to examiners on identifying and controlling the risks associated with e-banking activities.

  • Information Security. Guidance to examiners on factors to assess information security risks and procedures to evaluate the adequacy of the information security program.

  • Management. Guidance to examiners outlining the principles of overall governance and IT governance and provides examination procedures to evaluate IT governance and processes for ITRM.

  • Operations. Guidance to examiners on risk management processes for the IT operations universe at institutions and procedures to evaluate controls mitigating risks of IT architecture, infrastructure, and operations.

  • Outsourcing Technology Services. Guidance and examination procedures for examiners evaluate risk management processes to establish, manage, and monitor third-party service provider relationships.

  • Retail Payment Systems. Guidance to examiners on identifying and controlling risks associated with retail payment systems and related banking activities.

  • Supervision of Technology Service Providers. Outlines the Agencies' risk-based supervisory program and includes the examination ratings used for regulated financial institutions and their third-party service providers.

  • Wholesale Payment Systems. Guidance to examiners on the risks and risk management practices when originating and transmitting large-value payments.