Federal Financial Institutions Examination Council (FFIEC)

FFIEC overview

The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body comprising five banking regulators that are responsible for US federal government examinations of financial institutions in the United States. The FFIEC Examiner Education Office publishes IT Examination Handbooks intended for field examiners from FFIEC member agencies.

The FFIEC Audit IT Examination Handbook contains guidance for these examiners to assess the quality and effectiveness of IT audit programs of both financial institutions and TSPs. Specifically, it includes mention of SOC 1, SOC 2, and SOC 3 attestation reports of the American Institute of Certified Public Accountants (AICPA) as examples of independent audit reports. However, the FFIEC recommends that financial institutions not rely solely on the information contained in these reports, but also use verification and monitoring procedures discussed in detail in the FFIEC Outsourcing Technology Services IT Examination Handbook.

Microsoft and FFIEC

Microsoft Azure, Microsoft Power BI, and Microsoft Office 365 are built to meet the stringent requirements of Providing cloud services for financial services institutions. As part of our support, we offer guidance to help you comply with FFIEC audit requirements for information technology and the ability to use Azure SOC attestations when pursuing your FFIEC compliance obligations.

To help financial institution clients meet their FFIEC compliance requirements with Azure, Microsoft has developed the Azure Security and Compliance Blueprint for FFIEC Regulated Services Workloads. It offers guidance on the use of Azure cloud services and considerations for customer compliance with FFIEC requirements and risk assessment guidelines.

To further help you comply with FFIEC requirements, Microsoft cloud services provide SOC attestation reports produced by an independent CPA firm. For example, the SOC 1 Type 2 attestation is based on the AICPA SSAE 18 standard (see AT-C Section 105) that replaced SAS 70, and is appropriate for reporting on certain controls for financial reporting. The SOC reports include the auditor's opinion on the effectiveness of Microsoft controls in achieving the related control objectives during the specified monitoring period. Financial institutions can use this formal audit when pursuing FFIEC-specific compliance obligations for assets deployed on Azure, Power BI, and Office 365.

Microsoft in-scope cloud services

  • Azure
  • Intune
  • Office 365
  • Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite

Audits, reports, and certificates

Azure and Office 365 SOC attestation reports.

Frequently asked questions

Can I use Microsoft compliance with SOC standards to meet the FFIEC compliance obligations for my institution?

To help you meet these obligations, Microsoft supplies the specifics about our compliance with SOC standards as described above. However, ultimately, it is up to you to determine whether our services comply with the specific laws and regulations applicable to your institution. The FFIEC also advises that 'users of audit reports or reviews should not rely solely on the information contained in the report to verify the internal control environment of the TSP. They should use other verification and monitoring procedures as discussed more fully in the Outsourcing Technology Booklet of the FFIEC IT Examination Handbook.'

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources

Other Microsoft resources for financial services