FFIEC Updates Business Continuity Planning Guidance; BSA Stats
Written by Shari R. Pogach, Regulatory Paralegal
The Federal Financial Institutions Examination Council (FFIEC) has revised its Business Continuity Planning Booklet with a new appendix entitled, Appendix J: Strengthening the Resilience of Outsourced Technology Services. In addition to providing guidance for examiners in evaluating financial institution and service provider risk management processes, the booklet was also designed to help financial institutions with business continuity process implementation.Â
The FFIEC recognizes that many financial institutions depend on third-party service providers to perform or support critical operations but warns that this does not relieve the institution from its responsibility to ensure that outsourced technology activities are conducted in a safe and sound manner. Oversight of these outsourced relationships is the responsibility of the institutionâÂÂs board of directors and senior managements. To be effective, a third-party management program will provide the framework for management to identify, measure, monitor and mitigate the risks associated with outsourcing.Â
In its release the FFIEC states, âÂÂSpecifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner.âÂÂ
The appendix discusses four key elements of business continuity planning that should be addressed to ensure that an institution is contracting with technology service providers that are strengthening the resilience of technology services. The appendix covers:Â
- Third-Party Management - addresses managementâÂÂs responsibility to control the business continuity risks associated with its technology service providers and their subcontractors.
- Third-Party Capacity - addresses the potential impact of a significant disruption on a third-party servicerâÂÂs ability to restore services to multiple clients.
- Testing with Third-Party Technology Service Providers - addresses the importance of validating business continuity plans with technology service providers and considerations for a robust third-party testing program.Â
- Cyber Resilience - covers aspects of business continuity planning unique to disruptions caused by cyber events.
The booklet is part of the larger FFIEC Information Technology Examination Handbook. The IT Handbook is available here.
***
314(a) Fact Sheet. The Financial Crimes Enforcement Network (FinCEN) most recent 314(a) Fact Sheet indicates the agencyâÂÂs 314 Program Office has processed 2,391 law enforcement requests as of February 3, 2015. FinCENâÂÂs regulations under Section 314(a) allow federal, state, local and European Union law enforcement agencies to contact and work with more than 22,000 financial institutions to locate financial assets and transactions of subjects of criminal investigations.  As a result, the program has afforded productive leads for both terrorist financing (464 cases) and money laundering (1,927 cases) investigations. According to current feedback from law enforcement to the agency, 95 percent of 314(a)
requests have contributed to arrests or indictments.
***
SAR Stats. FinCENâÂÂs January 15 quarterly update of suspicious activity report (SAR) filings by depository institutions indicates credit unions filed 77,972 SARs in 2014, up 24 percent from a total of 62, 877 the previous year. FinCENâÂÂs statistics track filings from March 1, 2012 through December 31, 2014. The top five types of suspicious activity reported covered: multiple transactions below the currency transaction reporting threshold; suspicions regarding the source of funds; transaction with no apparent economic business or lawful purpose; transaction not in customerâÂÂs normal pattern and suspicious usage of multiple locations. The top five states for overall filings: California, New York, Ohio, Texas and Florida.Â