In This Article
- One FFIEC Playbook, Different Examiners
- The FFIEC URSIT Framework Examiners Use
- Two Regulatory Shifts Every FI Needs to Know in 2026
- Where Banks and Credit Unions Get Findings
- Cloud Controls Examiners Check
- The Mortgage Company Equivalent: GLBA + GSE Counterparty Audits
- How Microsoft 365 Addresses Federal IT Requirements
- Building Your IT Readiness Program
- Frequently Asked Questions
Your federal IT examination is on the calendar. The IT portion makes most community bank, credit union, and mortgage company executives nervous, not because the technology is bad, but because nobody told them what examiners actually grade.
The federal banking regulators do not publish a rubric. But they publish enough guidance to build one. And in 2026, two changes make this worth revisiting even if your institution has been through multiple examination cycles. The FFIEC retired the Cybersecurity Assessment Tool on August 31, 2025, designating NIST Cybersecurity Framework 2.0 as the recommended replacement. OCC Bulletin 2025-24, effective January 1, 2026, eliminated mandatory policy-based examination requirements in favor of a risk-proportionate model. Both changes ripple across all four federal banking regulators.
This article explains the FFIEC URSIT framework that examiners across all four agencies use to rate your IT, the specific finding categories where banks and credit unions consistently receive deficiencies, what examiners look for in cloud environments, the parallel framework that applies to mortgage companies under the FTC Safeguards Rule and Fannie/Freddie counterparty audits, and how to build a pre-examination readiness program around Microsoft 365.
One FFIEC Playbook, Different Examiners
The most useful thing to know about federal IT examinations is that the playbook is shared. The FFIEC IT Examination Handbook is the joint framework adopted by the OCC, FDIC, Federal Reserve, and NCUA. Same controls, same expectations, different examiner.
If your community bank holds a national charter, your OCC examiner uses the FFIEC handbook. State-chartered? Your FDIC examiner uses the same handbook. Federal Reserve member? Your Fed examiner uses the same handbook. Credit union? Your NCUA examiner uses the same handbook. The agency name on your exam letter changes. The technical findings, the URSIT rating components, and the cloud control expectations do not.
Mortgage companies are not under FFIEC jurisdiction. Independent mortgage lenders and servicers do not receive FFIEC IT examinations. But they do face the FTC Safeguards Rule (16 CFR Part 314), CFPB compliance examinations, and seller-servicer counterparty audits from Fannie Mae, Freddie Mac, and Ginnie Mae. Those frameworks reference the same control areas: access management, MFA enforcement, audit log retention, vendor oversight, and incident response. The agency name and the legal authority differ. The Microsoft 365 configuration that satisfies them does not.
This article uses FFIEC framing as the unifying lens because most readers will face an FFIEC examiner. Where the mortgage company equivalent differs in legal authority or examination process, those differences are covered in the Mortgage Company Equivalent section below.
The FFIEC URSIT Framework Examiners Use
Federal banking regulators rate information technology using URSIT, the Uniform Rating System for Information Technology. URSIT is an FFIEC-adopted framework, which means the OCC, FDIC, Federal Reserve, and NCUA all use it. Every examined institution receives a URSIT composite rating on a 1-to-5 scale, with 1 being the strongest and 5 being the weakest. That composite does not exist in isolation: for banks it feeds directly into your CAMELS composite rating through the Management and Sensitivity to Market Risk components. For credit unions it feeds into the equivalent CAMELS-S supervisory rating used by the NCUA.
URSIT has four rated components. Examiners score each separately and then derive the composite. Understanding what each component covers tells you exactly where examination risk concentrates for your institution.
URSIT: The Four Components FFIEC Examiners Use to Rate Bank and Credit Union IT
| Component | What Examiners Assess | Common Deficiencies Cited |
|---|---|---|
| Audit | Scope, independence, frequency, and effectiveness of IT audit. Whether findings are tracked to resolution and whether audit staff has sufficient IT knowledge. | Audit scope too narrow; finding closure undocumented; internal audit lacks IT-qualified personnel |
| Management | How leadership oversees IT risk. Board and executive understanding of IT risk, strategic alignment, vendor oversight programs, and the quality of IT risk reporting to governance bodies. | Board reports too technical or too vague; no formal IT risk appetite statement; vendor management entirely spreadsheet-based with no formal review cadence |
| Development and Acquisition | How the bank acquires, builds, and changes systems. Project management, change control processes, testing requirements, and user acceptance before production deployment. | Informal change control with no approval trail; no user acceptance testing for vendor-managed systems; legacy systems with no documented migration plan or compensating controls |
| Support and Delivery | Day-to-day operational reliability of IT. Patch management, access controls, incident response, business continuity testing, and help desk operational effectiveness. | Patch management gaps especially for end-of-life systems; MFA not enforced for privileged access; BCP not tested in 12 or more months; audit log retention below 12 months |
Source: FFIEC IT Examination Handbook; FFIEC URSIT examination guidelines
The Support and Delivery component draws the most examiner scrutiny for community banks under $3 billion in assets. That is where access controls, patch management, cloud configurations, and incident response programs live. A deficiency in Support and Delivery is also the most operationally visible finding, which means your board and regulators both see it.
The 18-month cycle is a reward for strong risk management, not a permanent status. Any individual URSIT component rated 3 or higher can trigger a return to annual examinations regardless of asset size or CAMELS composite. Institutions that maintain strong URSIT ratings through consistent configuration management earn the longer cycle. Institutions that drift earn more frequent examinations.
Two Regulatory Shifts Every Bank, Credit Union, and Mortgage Company Needs to Know in 2026
Compliance programs often calibrate to how past examinations went. That is a reasonable approach, but 2026 brought two changes that make a fresh assessment necessary before your next examination cycle. Both changes affect every federal banking regulator (OCC, FDIC, Federal Reserve, NCUA), and both have parallel implications for mortgage companies under the FTC Safeguards Rule.
OCC Bulletin 2025-24: The Supervisory Reset
Effective January 1, 2026, OCC Bulletin 2025-24 eliminated all mandatory policy-based examination requirements for community banks. The prior model required examiners to verify that specific policies existed and met documentation standards. The new model is risk-proportionate.
In practice, this means examiners now focus on whether your risk management decisions are documented and defensible, not whether you have a policy document that matches a checklist of required topics. A community bank with a well-documented, operationally realistic IT risk assessment that connects risk identification to control implementation will fare better than one with a full policy library that does not connect to how the institution actually operates.
The shift also changes how you should prepare. Before 2026, the standard approach was to audit policies against the FFIEC IT Examination Handbook. After 2026, the better approach is to map your actual IT controls to your documented risk decisions and ensure examiners can trace from risk identification to control deployment to monitoring results. Documentation of why a risk decision was made matters as much as documentation that the decision exists.
The FFIEC CAT Is Retired: What Replaces It
TL;DR
The FFIEC Cybersecurity Assessment Tool (CAT) was officially retired on August 31, 2025. If your institution still uses the CAT for cybersecurity self-assessment, you need to migrate to NIST Cybersecurity Framework 2.0. The FFIEC designated NIST CSF 2.0 as the recommended replacement when it announced the retirement.
The CAT served as a maturity benchmarking tool from 2015 through 2025. Its retirement matters for two specific reasons. First, examiners across all four agencies (OCC, FDIC, Federal Reserve, NCUA) will increasingly use NIST CSF 2.0 language and function categories in examination findings. Institutions that still organize their cybersecurity program around CAT maturity levels and CAT declarative statements may have a harder time mapping examination feedback to their internal program structure. Second, NIST CSF 2.0 added the Govern function, which the original 2014 framework did not include. That function covers cybersecurity governance, organizational context, and risk strategy, which maps directly to the URSIT Management component.
For most community banks, the CAT-to-NIST CSF 2.0 migration is not a wholesale rebuild. CAT declarative statements map reasonably well to the NIST CSF 2.0 Identify, Protect, Detect, Respond, and Recover functions. The Govern function additions require the most attention, particularly for governance bodies that have not formally documented their cybersecurity risk appetite or oversight structure. ABT's NIST CSF 2.0 Assessment for Financial Institutions covers the full framework transition including the Govern function gaps most community banks have not yet addressed.
Where Banks, Credit Unions, and Mortgage Companies Receive IT Findings
The OCC's 2025 Cybersecurity Report identified the most common IT deficiencies in community bank examinations. The NCUA's Annual Cybersecurity Report cited a substantially overlapping list for credit unions. The FTC's enforcement record under the Safeguards Rule shows a similar pattern for mortgage companies. None of the findings are surprising in isolation. The pattern matters: these categories appear across institution sizes, examination cycles, and regulator types, which means institutions are addressing them once and not sustaining the fix.
Common Federal IT Findings at Banks, Credit Unions, and Mortgage Companies
- Legacy and end-of-life systems without documented compensating controls or a remediation timeline
- Patch management deficiencies, particularly for vendor-managed and cloud-hosted systems
- Multi-factor authentication gaps for privileged access, remote access, and administrative accounts
- Insufficient IT audit coverage, including scope gaps and finding closure tracking failures
- Third-party vendor management weaknesses, including missing or outdated SOC 2 Type II assessments
- Cloud control deficiencies, including access provisioning gaps and audit log retention failures
Source: OCC 2025 Cybersecurity Report; OCC Bulletin 2020-46a
Legacy Systems: The Finding That Follows Your Institution
Legacy systems earn findings not because they exist but because they lack documented compensating controls. An institution running Windows Server 2019 in an isolated network segment with specific access restrictions and enhanced monitoring is in a defensible position. An institution running the same server with no documentation of why it is still in production, what controls limit its exposure, and when it will be replaced is not.
Before your examination, inventory every system running software past vendor end-of-life. For each one, document the business reason it has not been replaced, the compensating controls limiting its exposure, and the planned remediation timeline. That documentation converts a potential finding into a management decision with a plan. Examiners can accept a documented risk decision. They cannot accept an undocumented gap.
MFA Gaps: The Finding That Should Not Exist in 2026
Federal examiners across the OCC, FDIC, Federal Reserve, and NCUA have cited multi-factor authentication deficiencies in financial institution examinations consistently since 2020. By 2026, MFA for privileged access and remote access is a baseline expectation, not a leading practice. Yet it continues to appear in findings for one reason: MFA is deployed for general staff but not enforced by policy for administrative accounts, service accounts, and privileged role holders.
Microsoft 365 Entra ID Conditional Access policies can enforce MFA for all privileged roles and all remote access sessions in a way that is documentable, auditable, and testable on demand. The gap examiners find is not a technology gap. It is a configuration gap. The technology to close it is already in your Microsoft 365 subscription.
Third-Party Vendor Management: Expanding Examiner Scrutiny
Federal examiners have expanded vendor management scrutiny significantly since OCC Bulletin 2020-10 updated the third-party risk management framework, with parallel guidance issued by the FDIC, Federal Reserve, and NCUA. For cloud vendors, examiners now expect current SOC 2 Type II attestation reports, not vendor-provided security questionnaires or a SOC 2 Type I. An outdated report from 18 months ago is insufficient for material vendors. For institutions evaluating their Microsoft 365 plan, the compliance tooling available for vendor documentation and eDiscovery varies across plans. Understanding which Microsoft 365 plan your institution should be on is part of the examination readiness picture.
Cloud Controls: What Federal Examiners Actually Check
OCC Bulletin 2020-46a established the OCC's cloud computing risk management expectations. The FDIC, Federal Reserve, and NCUA have all issued substantively aligned cloud guidance. In 2026, cloud is no longer a specialty topic in IT examinations. It is the primary operating environment for most banks, credit unions, and mortgage companies, including Microsoft 365 tenants, core banking vendor platforms, loan origination software, and document management systems.
When examiners review a financial institution's cloud environment, they are looking for evidence of six specific control categories. Microsoft 365 addresses all six natively, but the controls must be configured, not just licensed.
The Mortgage Company Equivalent: GLBA + GSE Counterparty Audits
Independent mortgage lenders and servicers do not receive FFIEC IT examinations. The FFIEC handbook does not apply to non-bank mortgage companies. But the IT control expectations apply through three different legal frameworks, all of which reference substantially the same control areas as the FFIEC handbook.
The FTC Safeguards Rule (16 CFR Part 314)
The Federal Trade Commission's Safeguards Rule is the primary federal cybersecurity requirement for non-bank mortgage companies. The 2023 amendment made several controls explicit: multi-factor authentication for any access to customer information (not just applications, but desktop and server access too), encryption of customer information in transit and at rest, written incident response plans with annual testing, and regular risk assessments. The Safeguards Rule applies to any institution that handles consumer financial information and is not regulated by a federal banking agency. That includes most independent mortgage lenders, mortgage servicers, mortgage brokers, and consumer finance companies.
CFPB Compliance Management System Examinations
The Consumer Financial Protection Bureau examines mortgage lenders and servicers under its Compliance Management System (CMS) framework. The IT and information security components of a CMS examination cover access controls, vendor management, data security, business continuity, and incident response. CFPB examiners do not use the FFIEC handbook directly, but they reference the same control categories. A mortgage company that meets FFIEC handbook expectations will satisfy the CFPB CMS IT review.
Fannie Mae, Freddie Mac, and Ginnie Mae Seller-Servicer Counterparty Requirements
The GSEs and Ginnie Mae impose IT controls on their seller-servicer counterparties through contractual agreements. Fannie Mae's Seller-Servicer Eligibility requirements include business continuity plans with disaster recovery procedures, internal audit and management controls independent of key functions, formal information security policies, and an Information Security questionnaire that counterparties must complete and update. Freddie Mac's Seller-Servicer Guide imposes similar IT control expectations. Ginnie Mae requires annual onsite audits of Document Custodians by seller-servicers. Failure to meet these contractual IT requirements can result in counterparty status review, which is more consequential than a regulatory finding because it directly affects the institution's ability to sell loans.
The practical takeaway for mortgage companies: build Microsoft 365 controls to FFIEC handbook expectations and you will satisfy the FTC Safeguards Rule, the CFPB CMS IT review, and the GSE counterparty audits in one configuration pass. The technical work is the same. The legal citations on the audit findings are different.
How Microsoft 365 Addresses Federal IT Examination Requirements
OCC Bulletin 2020-46a defines six cloud control areas. Here is how Microsoft 365 addresses each one, and what must be configured rather than assumed:
- Access management with provisioning and deprovisioning: Entra ID lifecycle workflows, access reviews, and Joiner/Mover/Leaver automation via HR connectors. Controls are configured in the Entra ID admin center, not enabled by default.
- MFA for privileged and remote access: Entra ID Conditional Access with authentication strength requirements. Enforces phishing-resistant MFA for admin roles. Policy must be deployed and set to Grant (not Report-Only) to be enforceable.
- Encryption in transit and at rest: Microsoft 365 encrypts all data at rest and in transit by default. TLS 1.2 minimum for all service connections. Customer-managed key support available via Microsoft Purview.
- Audit log retention (12+ months): Purview Audit Standard provides 90 days by default. Purview Audit Premium extends to 180 days minimum, with policies for 1-year or 10-year retention for specific log types. Retention must be configured; it does not default to 12 months.
- SOC 2 Type II for the vendor: Microsoft publishes annual SOC 2 Type II reports for M365 services, available on the Microsoft Service Trust Portal at servicetrust.microsoft.com. Download the current report and include it in your vendor management file.
- BCP and DR testing documentation: Microsoft provides a 99.9% SLA for M365 infrastructure. Institutional BCP/DR testing should verify recovery procedures for workflows that depend on M365 and document test results and recovery time objectives.
Audit Log Retention: The Gap Most Community Banks Discover at Examination
Federal banking regulators and FTC Safeguards Rule auditors expect audit logs retained for at least 12 months, accessible for examination on request, and covering all administrative and privileged access activity. Microsoft 365's default audit log retention for most Business Premium tenants is 90 days. That does not meet the 12-month expectation.
Purview Audit Premium extends retention to 180 days at minimum, with customizable policies supporting 1-year or 10-year retention for specific log categories. For community banks on Microsoft 365 Business Premium, Purview Audit Premium is available as an add-on. For institutions on E3, Purview Audit Standard is included but retention defaults to 90 days. The premium audit tier is a separate licensing decision for both plans.
This is also one of the URSIT Support and Delivery items examiners test with a specific documentation request. They will ask you to produce audit logs covering privileged access events for the prior 12 months. If you cannot produce 12 months of logs, you have a finding before the examination formally begins. Closing this gap before the examination takes less than a day to configure and a few months to build the log history.
Access Provisioning: The Gap You Cannot See Until Examination
Examiners across all four federal banking regulators now specifically review whether access provisioning and deprovisioning processes are automated or documented. The question is not just whether terminated employees lose access. It is whether your institution can demonstrate, with records, that access was revoked on a specific date for every departure. Manual processes that work reliably 95% of the time create a stale access exposure in the remaining 5%, and that 5% is exactly what examiners find in log reviews.
Entra ID lifecycle management, combined with access reviews configured in Entra ID Governance, provides the automated provisioning and deprovisioning trail federal examiners expect. The AI and compliance tooling ABT deploys through Guardian manages these configurations as part of the standard M365 tenant setup for regulated financial institutions. For institutions evaluating where to start on cloud governance, the AI and Copilot Readiness Assessment includes an evaluation of the cloud control configuration that aligns directly with federal examination expectations.
Free Assessment
How Does Your M365 Configuration Score Against Federal Cloud Control Expectations?
ABT's free AI Readiness Scan grades your Microsoft 365 environment on security configuration, audit log coverage, licensing alignment, and cloud controls, the same areas FFIEC examiners review at banks and credit unions and FTC Safeguards Rule auditors check at mortgage companies. Takes 15 minutes. No sales call required to see your grade.
Get My GradeHow Microsoft 365 Aligns With Federal IT Examination Requirements
Banks, credit unions, and mortgage companies running Microsoft 365 have an examination readiness advantage that most institutions underuse. The platform addresses a substantial portion of the federal cloud control, access management, and audit log requirements natively, whether the relevant authority is OCC Bulletin 2020-46a, equivalent FDIC/Fed/NCUA guidance, or the FTC Safeguards Rule for mortgage companies. The issue is not the platform. It is the configuration.
Guardian, ABT's operating model for Microsoft 365 in regulated financial institutions, deploys 80 policy templates across 11 configuration categories mapped to regulatory requirements including OCC Bulletin 2020-46a, equivalent FDIC/Fed/NCUA cloud guidance, and the FTC Safeguards Rule. Those policies cover the exact control areas examiners review: Conditional Access policy deployment, Defender for Office 365 configuration, Exchange settings, data loss prevention, retention policies, and device management through Intune.
The institutions that receive strong URSIT Support and Delivery ratings typically share one characteristic: their Microsoft 365 tenant configurations are documented, verified, and consistent with their risk decisions. Examiners can pull an admin portal screenshot, verify a Conditional Access policy is in enforcement mode, and trace it to a documented control decision in about 10 minutes. That is what "documentable and defensible" looks like in practice.
For institutions building or updating their IT examination readiness program, the five steps in the next section cover the Microsoft 365 configuration areas that examiners review most frequently across banks, credit unions, and mortgage companies.
Building Your IT Examination Readiness Program
Federal IT examination readiness is not a project you complete before each examination. It is a configuration management discipline you maintain between examinations. The institutions that consistently receive strong URSIT ratings are not the ones that scramble to prepare. They are the ones that keep their configurations aligned with examiner expectations year-round.
The following five steps are structured around the Microsoft 365 control areas examiners review most frequently for banks, credit unions, and mortgage companies. Each step is testable before the examination, so you know where you stand before examiners do.
5-Step Microsoft 365 Federal IT Examination Readiness Review
Audit Log Configuration and Retention Verification
Confirm that Microsoft Purview Audit is enabled for your tenant and that your retention policies cover at least 12 months for administrator activity, privileged role access events, and mailbox access logs. Run a test query pulling privileged role activity for the prior 12 months. If you cannot produce results covering the full 12-month window, you have a gap to close before the examination. This is the single most common audit log finding in community bank IT examinations.
MFA Enforcement Policy Review
Review your Entra ID Conditional Access policies and confirm that MFA is enforced (Grant mode), not just enabled (Report-Only mode), for all Global Administrator, Privileged Role Administrator, and Security Administrator roles. Confirm that all remote access pathways require MFA. Document each policy by name, creation date, and the role or user group it covers. Examiners will ask for this documentation by name, not just ask whether MFA is deployed.
Device Inventory and Management Policy Confirmation
Pull your Microsoft Intune device inventory and document enrollment coverage, compliance policy assignment, and managed device status for all bank-issued devices. Examiners now ask specifically about BYOD controls and whether personal devices accessing financial institution systems are enrolled in mobile device management or subject to mobile application management policies. A device inventory that shows unmanaged personal devices accessing M365 without policy enforcement is a finding in the access control category.
Email Authentication Configuration Check
Verify that your domain has SPF, DKIM, and DMARC records configured and that your DMARC policy is at minimum p=quarantine, ideally p=reject. Examiners increasingly cite email authentication gaps as a phishing control deficiency. DMARC at p=none is a monitoring mode setting, not an enforcement setting, and examiners treat p=none as an open finding for institutions that have had it in place for more than six months without progressing to enforcement.
Third-Party Vendor Cloud Assessment Documentation
Build or update your vendor inventory to include the SOC 2 Type II report status for each material cloud vendor, with the report date and the report period it covers. For Microsoft 365 specifically, the current SOC 2 Type II report is available on the Microsoft Service Trust Portal at servicetrust.microsoft.com. Download the current report and file it in your vendor management records. Examiners will ask for this document by name. If you cannot produce a current (within 12 months) SOC 2 Type II for your material cloud vendors, that is a vendor management finding.
Frequently Asked Questions
The FFIEC IT Examination Handbook is the joint framework adopted by the OCC, FDIC, Federal Reserve, and NCUA for IT examinations of banks and credit unions. If your community bank holds a national charter, your OCC examiner uses it. State-chartered, your FDIC or Federal Reserve examiner uses it. Credit union, your NCUA examiner uses it. Independent mortgage lenders and servicers do not receive FFIEC examinations directly, but the FTC Safeguards Rule (16 CFR Part 314), CFPB Compliance Management System reviews, and Fannie Mae/Freddie Mac/Ginnie Mae seller-servicer counterparty audits reference substantially the same control areas. A Microsoft 365 configuration that satisfies FFIEC handbook expectations will satisfy the mortgage company equivalents in one configuration pass.
URSIT stands for Uniform Rating System for Information Technology. It is an FFIEC-adopted framework, which means OCC, FDIC, Federal Reserve, and NCUA examiners all use it. URSIT rates a financial institution's IT environment on a 1-to-5 scale (1 is best) across four components: Audit, Management, Development and Acquisition, and Support and Delivery. For banks, the URSIT composite feeds into the CAMELS composite through the Management (M) and Sensitivity to Risk (S) components. For credit unions, it feeds into the equivalent CAMELS-S supervisory rating. A weak URSIT rating can degrade your composite rating even when operational and financial metrics are strong.
The FFIEC retired the Cybersecurity Assessment Tool (CAT) on August 31, 2025. The FFIEC's recommended replacement is NIST Cybersecurity Framework 2.0, released by NIST in February 2024. NIST CSF 2.0 added a Govern function that the original 2014 framework did not include. The Govern function covers cybersecurity governance structure, organizational context, and risk strategy, all of which map to the URSIT Management component. Institutions that built their cybersecurity program around CAT maturity levels should map existing controls to NIST CSF 2.0 categories, with particular attention to the new Govern function. The replacement designation applies across all four federal banking regulators.
Across OCC, FDIC, NCUA, and FTC enforcement records, the most common IT findings involve access control deficiencies, specifically MFA gaps for privileged access accounts and remote access sessions. Legacy system risk management failures, where end-of-life systems lack documented compensating controls or a remediation timeline, are the second most common category. Cloud control deficiencies, particularly audit log retention below 12 months and access provisioning gaps in cloud-hosted systems, have become the fastest-growing finding category as more institutions move core operations to cloud platforms. The pattern holds whether the examiner is from a federal banking regulator or the FTC enforcing the Safeguards Rule against a non-bank mortgage company.
No. Independent mortgage lenders and servicers do not receive FFIEC IT examinations and the FFIEC handbook does not apply to them directly. They are subject to the FTC Safeguards Rule (16 CFR Part 314), CFPB compliance examinations, and seller-servicer counterparty audits from Fannie Mae, Freddie Mac, and Ginnie Mae. These frameworks reference substantially the same control areas as the FFIEC handbook: access management, MFA enforcement, audit log retention, vendor oversight, encryption in transit and at rest, and incident response. A mortgage company that builds Microsoft 365 controls to FFIEC expectations will satisfy the FTC Safeguards Rule, CFPB CMS reviews, and GSE counterparty audits in one configuration pass. The technical work is the same. The legal citations on the audit findings differ.
Microsoft 365 addresses a substantial portion of FFIEC cloud control, access management, and audit log requirements natively, but the controls must be configured to be effective. Entra ID provides MFA enforcement and access management controls. Purview Audit provides log retention capability. Intune provides device management inventory and compliance documentation. Defender for Office 365 covers email authentication and anti-phishing controls. The platform has the capability to meet examiner expectations across all six cloud control areas referenced in OCC Bulletin 2020-46a and the equivalent FDIC, Fed, and NCUA cloud guidance. Most institutions have a configuration gap, not a platform gap.
Federal banking regulators expect audit logs retained for at least 12 months, accessible for examination on request, and covering all administrative and privileged access activity. Microsoft 365 Business Premium includes Purview Audit Standard, which retains logs for 90 days by default. That does not meet the 12-month examiner expectation. Purview Audit Premium, available as an add-on for Business Premium tenants or included in higher-tier plans, extends retention to 180 days at minimum and supports custom retention policies up to 10 years for specific log types. For most institutions on Business Premium, adding Purview Audit Premium is the direct solution to this examination requirement.
Pre-Examination Review
Get a Pre-Examination IT Review Before Your Next Federal Exam
ABT serves 750+ financial institutions and has helped community banks, credit unions, and mortgage companies prepare for federal IT examinations and counterparty audits for over 25 years. We review your Microsoft 365 configuration across the six control areas FFIEC examiners check (and the FTC Safeguards Rule equivalents for mortgage companies), identify gaps, and help you close them before your examination cycle. Schedule a no-cost pre-examination review with our team.
Schedule a Review
