Compliance Center: FFIEC Releases Cybersecurity Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, recently released a Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and assess their cybersecurity preparedness.

Financial institutions of all sizes may use the Assessment and other methodologies to perform a self-assessment and inform their risk management strategies. The release of the Cybsercurity Assessment Tool follows last year’s pilot assessment of cybersecurity preparedness at more than 500 institutions. The FFIEC members plan to update the Assessment as threats, vulnerabilities, and operational environments evolve.

In addition to the Assessment, the FFIEC has also made available resources institutions may find useful, including an executive overview, a user’s guide, an online presentation explaining the Assessment, and appendices mapping the Assessment’s baseline maturity statements to the FFIEC Information Technology Examination Handbook, mapping all maturity statements to the National Institute of Standards and Technology’s Cybersecurity Framework, and providing a glossary of terms.

The FFIEC members are also encouraging institutions to comment on the Assessment through an upcoming Paperwork Reduction Act notice in the Federal Register.

The FFIEC provides several resources to further awareness of cyber-threats and help financial institutions improve their cybersecurity. These resources are available on the FFIEC website at

Find the tool on the Cybersecurity Assessment Tool webpage.

Compliance Question of the Week

If our member writes their PIN number on their debit card and a thief uses that debit card with the PIN number to take money out of the account, does the credit union still have to pay even though the member’s own negligence caused the loss?

Yes. As unfortunate as this may be, the Commentary to the Electronic Funds Transfers Act says that “negligence by the consumer cannot be used as a basis for imposing greater liability than is permissible under Regulation E.” The Commentary goes on to give “writing the PIN on the debit card” as an example of negligence. 

Related Links

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA announced that it will be holding a technical assistance event on Wednesday, August 12, 2015 for minority and women-owned businesses interested in contracting with the federal government.

The NCUA announced that it will host a webinar “Fine-Tuning Your Compliance Program: Common Compliance Violations,” on Tuesday, July 21, 2015. Credit unions can register for the free webinar here

Consumer Financial Protection Bureau (CFPB)

The CFPB issued a request for information regarding the Consumer Complaint Database. The CFPB is looking for feedback on the best ways to normalize raw complaint data it makes available to the public. 

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC released its much anticipated Cybersecurity Assessment Tool.  

Federal Reserve Board (FRB)

The FRB released its June 2015 Senior Credit Officer Opinion Survey on Dealer Financing Terms.

The July edition of the FRB’s FedFocus is now available

The Office of the Comptroller of Currency (OCC)

The OCC released its Semiannual Risk Perspective for 2015.  The report covers risks facing national banks and federal savings associations regulated by the OCC. 

Federal Deposit Insurance Corporation (FDIC)

The FDIC released revised interagency examination procedures for the new TILA/RESPA Integrated Disclosures.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of July 2, 2015. The last update prior to this was June 24, 2015. 

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, Federal.