No surprise here as the new booklet (which replaces the previous FFIEC D&A Booklet issued in 2004) includes much more detail regarding FIs efforts to mitigate risks during the development, acquisition, maintenance, and delivery of new initiatives.  Keep in mind that this guidance applies to FDIC-supervised institutions and their service providers.  The most significant takeaways of the new booklet are enhanced detail surrounding project and change management principles and practices including an emphasis on resilience.

#1 – Review/update your written project management policies and procedures

Examiners will be looking for FIs to have an enterprise-wide, process-based approach to ensure that risks are assessed and managed in relation to the unique attributes of a new project or engagement. This expectation includes a focus on a customized approach to project management. Significant projects will require a more in-depth approach. To assist with understanding what makes a project unique, the booklet references examples to help illustrate differentiating perspectives. If you would like a checklist to assist in this process, please download our Significant Project Management Evaluation Checklist.

#2 – Review/update your written third-party or vendor management due-diligence methodology and associated procedures

Standards for acquiring systems, components, or services have long been an important focus for FIs in mitigating risk. However, the industry’s expanded reliance on Third Party Service Providers (TSPs), including FinTechs, has resulted in exposure of customer data and disruption of the delivery of products/services (MoveIT, CrowdStrike, etc.). This emphasis also aligns with the FFIEC’s focus on operational resilience including the increased importance of:

• Business continuity/incident response planning (resilience) for critical third-party relationships
• A higher expectation for due diligence of foreign-based entities
• An emphasis on supply chain considerations

The booklet’s primary objective is to emphasize that management must identify, plan, and address potential operational weaknesses for high-risk TSPs, including Fintech organizations and foreign entities, to minimize the negative effects of crises that could negatively impact the Institution’s operations.

In summary, your critical TSPs must have business continuity plans, incident response plans, and other documented operational resilience procedures. This will also assist in ensuring a successful business partnership while mitigating the risk of significant business service disruption and the exposure of NPI.