Home > Compliance > FFIEC Compliance
Print PagePrint this Page

FFIEC Compliance


What is FFIEC?
The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body empowered to prescribe uniform principles, compliance standards, and report forms for the examination of financial institutions by their regulating bodies. The FFIEC issues operating standards for financial institutions, including the use of information technology. FFIEC Compliance

In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

Who is affected by FFIEC?
Financial institutions that are regulated by the following entities are subject to the examination standards of the FFIEC: the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), or the Office of Thrift Supervision (OTS).

What are the requirements of FFIEC?
The FFIEC's examination scope is comprehensive. The "Information Security" examination booklet contains a section on "Security Controls Implementation." In the subsection titled "Encryption," the FFIEC spells out the related examination requirements. Here are some of the salient points the FFIEC makes:
"Encryption is a key control in ensuring confidentiality, data integrity, and accountability."
"Financial institutions should employ an encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat."
"Generally speaking, authenticators are encrypted whether on public networks or on the financial institution's network. Sensitive information is also encrypted when passing over a public network and also may be encrypted within the institution."

The examination booklet also addresses key management: "Since security is primarily based on the encryption keys, effective key management is crucial." The FFIEC then goes on to specify what characterizes a secure key management system:
Key management is fully automated (e.g., personnel do not have the opportunity to expose a key or influence the key creation).
No key ever appears unencrypted.
Keys are randomly chosen from the entire key space, preferably by hardware.
Key-encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key-encrypting key. (A key-encrypting key is used to encrypt other keys, securing them from disclosure.)
All patterns in clear text are disguised before encrypting.
Keys with a long life are sparsely used. The more a key is used, the greater the opportunity for an attacker to discover the key.
Keys are changed frequently. The cost of changing keys rises linearly while the cost of attacking the keys rises exponentially. Therefore, all other factors being equal, changing keys increases the effective key length of an algorithm.
Keys that are transmitted are sent securely to well-authenticated parties.
Key-generating equipment is physically and logically secure from construction through receipt, installation, operation, and removal from service.

How do financial institutions comply with FFIEC? FFIEC compliance requires enterprises to deploy robust encryption solutions that protect information from disclosure, on the financial institution's own network and on shared external networks. Financial institutions must ensure data confidentiality and integrity. The FFIEC also mandates an effective key management system that complements and enables the encryption technology.

What are the penalties for FFIEC non-compliance?
The appropriate regulating body for each type of financial institution enforces its examination findings. For example, the FDIC issues enforcement actions and orders against state nonmember banks and insured branches of foreign banks.

How does CipherOptics help?
When you need to encrypt your data in motion, CipherOptics makes it easy. Whether you need to protect a single link, or your entire network, we eliminate the complexity of encrypting today's networks.

Our solutions combine standards-based, wire-speed encryption appliances with CipherEngine, the only policy definition and key distribution technology designed for multi-node networks. Together, they give you the highest level of data protection at the lowest total cost. CipherEngine gives you the power to protect data in motion wherever, however and whenever you want, without changes or disruptions to your network, your infrastructure, or your operations.

To see just how easy it can be to comply with FFIEC, call 1-877-878-6655 or feel free to ask us a question.

Learn More About:
Network Encryption
Ethernet Encryptors
IP Encryptors
CipherEngine Policy and Key Management

Helpful Resources
Booklet on Information Security (part of FFIEC Bank IT Examination Handbook)
Section on Encryption (Booklet on Information Security)