Federal Financial Institutions Examination Council (FFIEC)

FFIEC overview

The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body comprising five banking regulators that are responsible for US federal government examinations of financial institutions in the United States. The FFIEC Examiner Education Office publishes IT Examination Handbooks intended for field examiners from FFIEC member agencies.

The FFIEC Audit IT Examination Handbook contains guidance for these examiners to assess the quality and effectiveness of IT audit programs of both financial institutions and TSPs. Specifically, it includes mention of SOC 1, SOC 2, and SOC 3 attestation reports of the American Institute of Certified Public Accountants (AICPA) as examples of independent audit reports. However, the FFIEC recommends that financial institutions not rely solely on the information contained in these reports, but also use verification and monitoring procedures discussed in detail in the FFIEC Outsourcing Technology Services IT Examination Handbook.

Microsoft and FFIEC

Microsoft Azure, Microsoft Power BI, and Microsoft Office 365 are built to meet the stringent requirements of providing cloud services for financial services institutions. Azure provides financial institutions with SOC 1 Type 2, SOC 2 Type 2, and SOC 3 attestation reports produced by an independent auditing firm to help customers meet their own FFIEC compliance obligations. For example, the SOC 1 Type 2 attestation is performed under:

  • SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AICPA, Professional Standards).
  • SOC 1 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AICPA Guide).

The AICPA SSAE 18 standard replaced SAS 70, and it's appropriate for reporting on controls at a service organization relevant to user entities internal controls over financial reporting. This is the formal audit that financial institutions can leverage for third-party reviews of technology service providers when pursuing their own FFIEC specific compliance obligations for assets deployed on Azure. It includes auditor’s opinion on control effectiveness to achieve the related control objectives during the specified monitoring period.

Moreover, Azure has developed an Excel-based cloud security diagnostic tool intended to expedite a risk assessment that a financial institution may want to conduct relative to Azure services. The tool is based on a spreadsheet featuring 19 separate domains that identify requirements set forth in relevant standards and financial services-related regulations, including the FFIEC IT Examination Handbooks. The risk assessment tool is prepopulated with explanations for how Azure complies with requirements applicable to cloud service providers, and can assist customers in meeting their own FFIEC compliance requirements.

Also available to customers is the Azure FFIEC cloud security diagnostic workbook companion, which offers guidance on the use of Azure services and considerations for customer compliance with FFIEC requirements

Microsoft in-scope cloud platforms & services

  • Azure
  • Intune
  • Office 365, Office 365 U.S. Government
  • Power BI cloud service (either as a standalone service or as included in an Office 365 branded plan or suite)

Azure guidance documents

To assist financial institutions subject to FFIEC oversight with cloud adoption, Microsoft has published the following guidance documents that can be downloaded from the Service Trust Portal Data Protection Resources - Compliance Guides section:

  • Azure - Cloud security diagnostic tool
  • Azure - FFIEC cloud security diagnostic workbook companion

Office 365 and FFIEC

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Microsoft Entra ID, Azure Information Protection, Bookings, Compliance Manager, Delve, Exchange Online, Exchange Online Protection, Forms, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Defender for Office 365, Microsoft Graph, Microsoft Teams, Microsoft To-Do for Web, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Cloud App Security, Office 365 Groups, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, Viva Engage
GCC Microsoft Entra ID, Compliance Manager, Delve, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, Stream

Office 365 audits, reports, and certificates

See the Office 365 SOC attestation reports.

Frequently asked questions

Can I use Microsoft compliance with SOC standards to meet the FFIEC compliance obligations for my institution?

To help you meet these obligations, Microsoft supplies the specifics about our compliance with SOC standards as described earlier. However, ultimately, it's up to you to determine whether our services comply with the specific laws and regulations applicable to your institution. The FFIEC also advises that 'users of audit reports or reviews shouldn't rely solely on the information contained in the report to verify the internal control environment of the TSP. They should use other verification and monitoring procedures as discussed more fully in the Outsourcing Technology Booklet of the FFIEC IT Examination Handbook.'

Use Microsoft Purview Compliance Manager to assess your risk

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources

Other Microsoft resources for financial services