Data Identification and Governance: Updated FFIEC Examination Manual Booklet Indicates Higher Expectations by Financial Institution Examiners

Lee Gillispie, CMT, is Senior Managing Principal with Fiserv. He has more than 15years of mortgage lending industry experience and is a self-confessed regulation geek. He is a frequent speaker and author of several industry articles on regulation and its impact on technology and back-office operations. Mike Robinette has more than 15 years of experience in Information Technology and CyberSecurity risk management for global financial services fortune 50 companies, and more than five years as an IT/IS Bank (FFIEC, CAT, NIST) Examiner for the Office of the Comptroller of the Currency with specialty in Trust Management (12CFR9).

Federal examiners will focus on reinforcing proper risk management and data protection fundamentals due to the uptick in cyber threats.

Lee GIllispie
Mike Robinette

On June 30, the Federal Financial Institutions Examination Council issued a new booklet in the FFIEC Information Technology Examination Handbook series, Architecture, Infrastructure and Operations. This guidance provides important clarifications for examiners and financial institutions as well as lenders about how we should identify, classify, retain, secure and report on elemental-level sensitive data.

We identified critical guidelines from the new booklet that will introduce fresh challenges to your financial institution, including detailed guidance on what systems to expect sensitive data, who is responsible for data governance and best practices to demonstrate evidence of compliance. 

What is Data Classification?

Data classification is the process of categorizing data based on the expected damage to operations following loss or compromise of the identified information. Classification is based on its level of confidentiality (i.e., sensitivity), integrity, and availability as well as the value and criticality to the entity.

The booklet signals a much higher level of expectations for regulated financial institutions to identify all sensitive data at the elemental level and understand the overall risk to the FI or its customer of any misuse or loss of that data. The guidance makes it clear that simply inventorying databases and locking down/encrypting email and image archives behind IT walls is no longer an effective strategy.

Systems that Will be in Focus

Section III A 1 of the Booklet describes where examiners expect sensitive consumer and entity data is found and what must be done when it is identified. What is new is the detailed references to systems and platforms that contain records and images, not just system databases.

“Data identification and data classification are important components of data management. To effectively manage data, it is important to identify what data the entity has, particularly to identify sensitive customer and entity information. The data identification process includes structured data, managed by a system of record, as well as unstructured data (e.g., physical loan files, emails, documents, images, presentations, or free-form text comment fields in applications) created or processed by end users. There are inventory tools available to assist management with the data identification process. Once the data is accurately identified, it should be appropriately classified.”

For lenders, this means understanding and properly managing the sensitive data not only in your loan origination systems and servicing systems, but also your image archives, e-mail archives and other content repositories where sensitive data exists but has not traditionally been identified and categorized. 

Summary

Above all, management is expected to have a process-oriented approach to understand where data resides (inventory), determine the sensitivity and criticality of assets (classification) and implement effective controls to safeguard data (policy/procedures).

As an industry we are constantly involved with our borrowers and client’s most sensitive data and all have been taking ever-increasing precautions to reduce any risk of data loss. The updated Examiners Booklet with its guidance and clarifications regarding their higher expectations of good data governance should not be a surprise. Senior leaders, CISO’s and risk managers are strongly encouraged to review it yourselves and to draw your own conclusions.  

For more on this topic, join the authors and MBA Vice President of Industry Technology Rick Hill on September 9 as MBA Education hosts an hour-long webinar, Data Classification and Identification. Click here for more details.

(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to NewsLink Editor Mike Sorohan at msorohan@mba.org or NewsLink Editorial Manager Michael Tucker at mtucker@mba.org.)