On 6/30/2021, the CFPB announced that the Federal Financial Institutions Examination Council (FFIEC) issued a new IT booklet titled “Architecture, Infrastructure, and Operations.” According to the CFPB release, the booklet provides expanded guidance to help financial institution examiners assess the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations.

The new booklet replaces the “Operations” booklet issued way back in July of 2004 and it provides examiners with fundamental examination expectations regarding architecture and infrastructure planning, governance and risk management, and operations of regulated entities. The booklet discusses the interconnectedness among an entity’s assets, processes, and third-party service providers along with the principles, processes, potential threats, and examination procedures to help examiners assess whether a financial entity’s management adequately addresses risks and complies with applicable laws and regulations.

Updates to the booklet reflect the changing technological environment and increasing need for security and resilience, including architectural design, infrastructure implementation, and operation of information technology systems. The updated booklet also highlights the importance of providing current information to examiners reviewing an entity’s information management practices pertaining to safety and soundness, consumer protection, and provision of secure and resilient business services to customers.

The new IT booklet can be found here.