Navigating the August 2024 update of the FFIEC Development, Acquisition, and Maintenance Booklet can indeed be daunting due to its comprehensive detail. The upgraded booklet, which updates the previous version from 2004, provides significantly more detail on how financial institutions can effectively manage risks during the development, acquisition, maintenance, and delivery of new initiatives.
This blog post provides a concise overview and essential insights to assist financial institutions (FIs) in understanding the guidance and improving their operational strategies. It is important to understand that this guidance applies to all FDIC-supervised institutions and their service providers.
The updated booklet prominently highlights enhanced details on project and change management principles, while emphasizing the crucial importance of operational resilience. This combined focus aims to strengthen an institution's project planning and implementation processes for all projects, with particular emphasis on those that are highly critical. By prioritizing resilience, FIs can ensure continued operations and mitigate risks during times of change or disruption, safeguarding their stability and service reliability.
Here are two steps your FI can take to help manage these new expectations:
1. Review and update your written project management policies and procedures
Examiners will be looking for FIs to have an enterprise-wide, process-based approach to ensure that risks are assessed and managed in relation to the unique attributes of a new project or engagement. This expectation includes a focus on a customized approach to project management. Significant projects will require a more in-depth approach. To assist with understanding what makes a project unique, the booklet references examples to help illustrate differentiating perspectives.
2. Review and update your written third-party or vendor management due-diligence methodology and associated procedures
Standards for acquiring systems, components, or services have long been an important focus for FIs in mitigating risk. However, the industry’s expanded reliance on Third Party Service Providers (TSPs), including FinTechs, has resulted in the exposure of customer data and disruption of the delivery of products/services (E.g., 2023 MOVEit mass hack, 2024 CrowdStrike data breach).
The focus on TSPs also aligns with the FFIEC’s focus on operational resilience including the increased importance of:
- Business continuity/incident response planning (resilience) for critical third-party relationships
- A higher expectation for due diligence of foreign-based entities
- An emphasis on supply chain considerations
The booklet's main goal is to emphasize the importance of management identifying, planning for, and addressing potential operational weaknesses with high-risk TSPs. This includes fintech organizations and foreign entities. These critical TSPs must have business continuity plans, incident response plans, and other documented operational resilience procedures. This will also assist in ensuring a successful business partnership while mitigating the risk of significant business service disruption and the exposure of NPI.
In summary, equipped with these strategies, your FI can bolster its operational resilience and effectively mitigate risks associated with project and change management, especially with significant or highly critical projects and high-risk TSPs. By adopting a proactive approach, your institution can significantly reduce the negative impact of crises on its operations.
