Solving the 3 Biggest Challenges of FFIEC Compliance

How Compliance Officers Can Fend Off Multiple Threats With One Converged Platform

In this series, we’re spotlighting the unsung heroes of regulatory compliance — and the weapons they need in today’s arena. They might not decide the fate of the planet, but compliance officers (COs) certainly hold the fate of financial institutions (FI) in their busy hands.

Last year, FIs saw 2,527 security incidents — 79% from basic web app attacks, errors, and system intrusions. Once stolen, user credentials can be sold in cyber-criminal forums and then used to commit fraud through account takeovers and identity theft.

In our first blog we explored how a modernized identity arsenal with better reporting, automated controls, and centralized Separation of Duties (SoD) management are essential for SOX compliance. In this installment, we’ll tackle the most important compliance event that a North American bank or credit union can face: an audit by the Federal Financial Institutions Examination Council (FFIEC) examiner. Here’s what COs need to keep their members protected, reputations trusted, and regulations cleared.

What is FFIEC?

The FFIEC is an interagency body that prescribes uniform principles, standards, and reporting for banks and provides a long list of assets and statements on cyberattacks. The FFIEC requires financial institutions to establish a baseline for the risk environment,  address the risks detected in the current environment, and plan for ongoing improvements in cybersecurity maturity.

FFIEC Challenge: Separation of Duties

While smaller community institutions may have difficulty finding and hiring staff with sufficient regulatory expertise, they’re still expected to maintain the same level of separation of duties (SoDs) as larger institutions.
Employees with unlimited access to an institution’s information-sensitive assets and technology could cause substantial damage and potential loss. According to the FFIEC handbook, FIs must run independent reviews or approvals for individuals who perform multiple functions, such as cash management and financial reporting to ensure network security, compliance, and healthy operations.

As more and more apps and workloads move to the cloud, access control becomes siloed. Achieving a unified view of identities and access in this environment becomes a challenge. Critical applications with complex authorization models are difficult to analyze.

COs need a standardized process to establish a baseline for the risk environment, including single and cross-application SoDs. To do this, they need fine-grained SoD controls, sensitive access entitlement rulesets for individual applications — and cross-application checks. Customizing the ranking of risks from Low to Critical ensures that industry and company-specific nuances are considered

How Saviynt Can Help

Saviynt’s Application Access Governance (AAG) solution includes fine-tuned rulesets for major  ERP applications and custom rulesets can also be built for applications with custom functionalities or to meet the unique needs of the institution. These are uploaded directly to Saviynt, equipping COs with ready-to-run SoD assessments in a few hours.

With Saviynt, rulesets can be managed along with mitigating controls that might be utilized to resolve SoD violations. COs can configure all of the steps for custom workflows with an easy drag-and-drop interface that will automatically validate the workflow.  AAG also delivers Separation of Duty checks and mitigating controls so you can quickly “get clean and stay clean” across applications. Workflow management can be handled by workflow owners, and you can edit, maintain, and approve versions of each workflow. As business or compliance needs change, you can update your workflow in just a few clicks.

FFIEC Challenge: Risk Monitoring and Reporting

The FFIEC requires FIs to provide a method of gathering data, disseminating reports, and prompting action. In other words, COs need to monitor, remediate and address the risks in Segregation of Duties (SoD) reports —- and document the controls that addressed those risks. Financial institutions and their Boards need a clear picture of their security posture and a clear audit trail that ensures risk is being accurately assessed and reported.

How Saviynt Can Help

Once rulesets are in place, Saviynt’s customized detective risk reports (which can be grouped by a range of metrics) establish the current state, the cleanup needed, and alignment with future goals.

More importantly, Saviynt can run sensitive access risk reports flagging potential or actual violations. What’s the difference? A potential SoD violation means that someone has permission to run both sides of a sensitive transaction, but they haven’t done it. An actual SoD violation means that they have actually executed both sides of a sensitive transaction. While this doesn’t necessarily mean something nefarious is going on, it is an area of immediate concern –- and those violations need to be cleaned up ASAP.  This and policy-based application access certifications ensure you have a regular review period to continue to make the small tweaks needed to optimize your environment.

Moving forward, the health of your applications can be constantly monitored with drill-down dashboards that let you set alerting and remediation thresholds for control violations, enable trend analysis, and log control violation history. Additionally, with our reporting functionality, you can drive actionable insights, automate decisions and generate compliance reports.

FFIEC Challenge: Third-Party Access

Threats frequently change, as do the vulnerabilities they target: new software, system updates, and third-party service providers all impact your inherent risk profile.

For effective FFIEC compliance oversight, COs need to identify, prevent, contain, and report any attempted third-party attacks.

To secure third-party relationships at scale, COs need to collect third-party non-employee data collaboratively with internal and external sources throughout the course of the relationship. Older systems process identities in static and inflexible ways, or have each function as a standalone process — or even require multiple products to complete one job, such as providing standard and privileged access. This often leads to administrators over-permissioning accounts using a “just in case” rather than a “just-in-time” approach to privileged access.

How Saviynt Can Help

Saviynt’s cloud-based, third-party access governance solution allows for seamless onboarding of third-party organizations and users. Saviynt automates low-risk access with intelligent out-of-the-box and custom controls and policies, assigning only the access that third parties need to meet their contractual requirements.

It’s important to have an intuitive user-friendly interface to be able to navigate to different functions and highlight what needs attention quickly. Whether you’re adding new users, looking at existing access, defining new roles, or designing workflows, a simple tile-based interface makes life easier for your teams and helps improve productivity. Saviynt allows FIs to quickly onboard, provision, monitor, audit, and remove time-bound relationships.

Manage Compliance Threats From a Central Location

COs have enough on their plate. They need less complexity — not more tools. That’s why Saviyint brings together five core identity products with a single, converged platform composed of five modular products, including IGA, Application Access Governance and the ability to support Privileged Access Management, Third-Party Access Governance, and Data Access Governance needs.

These are all built upon our intelligent identity warehouse that unlocks advanced identity analytics, contextualizes risk, and automates remediation. This single platform approach eliminates complexity and security silos to empower your team with a single point of control.

In our final installment, we’ll examine how COs can be better prepared to tackle the unique challenges of the Graham-Leach-Bailey Act (GLBA).