FFIEC IT Examination Readiness for Financial Institutions

Your federal IT examination is on the calendar. The IT portion makes most community bank, credit union, and mortgage company executives nervous, not because the technology is bad, but because nobody told them what examiners actually grade.

The federal banking regulators do not publish a rubric. But they publish enough guidance to build one. And in 2026, two changes make this worth revisiting even if your institution has been through multiple examination cycles. The FFIEC retired the Cybersecurity Assessment Tool on August 31, 2025, designating NIST Cybersecurity Framework 2.0 as the recommended replacement. OCC Bulletin 2025-24, effective January 1, 2026, eliminated mandatory policy-based examination requirements in favor of a risk-proportionate model. Both changes ripple across all four federal banking regulators.

This article explains the FFIEC URSIT framework that examiners across all four agencies use to rate your IT, the specific finding categories where banks and credit unions consistently receive deficiencies, what examiners look for in cloud environments, the parallel framework that applies to mortgage companies under the FTC Safeguards Rule and Fannie/Freddie counterparty audits, and how to build a pre-examination readiness program around Microsoft 365. Access Business Technologies manages Microsoft 365 tenants for 750+ financial institutions and runs FFIEC-aligned configurations across that footprint, so the Microsoft 365 alignment guidance in this article reflects what ABT operationalizes for examiner-ready evidence every day, not theory.

One FFIEC Playbook, Different Examiners

The most useful thing to know about federal IT examinations is that the playbook is shared. The FFIEC IT Examination Handbook is the joint framework adopted by the OCC, FDIC, Federal Reserve, and NCUA. Same controls, same expectations, different examiner.

If your community bank holds a national charter, your OCC examiner uses the FFIEC handbook. State-chartered? Your FDIC examiner uses the same handbook. Federal Reserve member? Your Fed examiner uses the same handbook. Credit union? Your NCUA examiner uses the same handbook. The agency name on your exam letter changes. The technical findings, the URSIT rating components, and the cloud control expectations do not.

Mortgage companies are not under FFIEC jurisdiction. Independent mortgage lenders and servicers do not receive FFIEC IT examinations. But they do face the FTC Safeguards Rule (16 CFR Part 314), CFPB compliance examinations, and seller-servicer counterparty audits from Fannie Mae, Freddie Mac, and Ginnie Mae. Those frameworks reference the same control areas: access management, MFA enforcement, audit log retention, vendor oversight, and incident response. The agency name and the legal authority differ. The Microsoft 365 configuration that satisfies them does not.

This article uses FFIEC framing as the unifying lens because most readers will face an FFIEC examiner. Where the mortgage company equivalent differs in legal authority or examination process, those differences are covered in the Mortgage Company Equivalent section below.

The FFIEC URSIT Framework Examiners Use

Federal banking regulators rate information technology using URSIT, the Uniform Rating System for Information Technology. URSIT is an FFIEC-adopted framework, which means the OCC, FDIC, Federal Reserve, and NCUA all use it. Every examined institution receives a URSIT composite rating on a 1-to-5 scale, with 1 being the strongest and 5 being the weakest. That composite does not exist in isolation: for banks it feeds directly into your CAMELS composite rating through the Management and Sensitivity to Market Risk components. For credit unions it feeds into the equivalent CAMELS-S supervisory rating used by the NCUA.

URSIT has four rated components. Examiners score each separately and then derive the composite. Understanding what each component covers tells you exactly where examination risk concentrates for your institution.

The Support and Delivery component draws the most examiner scrutiny for community banks under $3 billion in assets. That is where access controls, patch management, cloud configurations, and incident response programs live. A deficiency in Support and Delivery is also the most operationally visible finding, which means your board and regulators both see it.

The 18-month cycle is a reward for strong risk management, not a permanent status. Any individual URSIT component rated 3 or higher can trigger a return to annual examinations regardless of asset size or CAMELS composite. Institutions that maintain strong URSIT ratings through consistent configuration management earn the longer cycle. Institutions that drift earn more frequent examinations.

Two Regulatory Shifts Every Bank, Credit Union, and Mortgage Company Needs to Know in 2026

Compliance programs often calibrate to how past examinations went. That is a reasonable approach, but 2026 brought two changes that make a fresh assessment necessary before your next examination cycle. Both changes affect every federal banking regulator (OCC, FDIC, Federal Reserve, NCUA), and both have parallel implications for mortgage companies under the FTC Safeguards Rule.

OCC Bulletin 2025-24: The Supervisory Reset

Effective January 1, 2026, OCC Bulletin 2025-24 eliminated all mandatory policy-based examination requirements for community banks. The prior model required examiners to verify that specific policies existed and met documentation standards. The new model is risk-proportionate.

In practice, this means examiners now focus on whether your risk management decisions are documented and defensible, not whether you have a policy document that matches a checklist of required topics. A community bank with a well-documented, operationally realistic IT risk assessment that connects risk identification to control implementation will fare better than one with a full policy library that does not connect to how the institution actually operates.

The shift also changes how you should prepare. Before 2026, the standard approach was to audit policies against the FFIEC IT Examination Handbook. After 2026, the better approach is to map your actual IT controls to your documented risk decisions and ensure examiners can trace from risk identification to control deployment to monitoring results. Documentation of why a risk decision was made matters as much as documentation that the decision exists.

The FFIEC CAT Is Retired: What Replaces It

The CAT served as a maturity benchmarking tool from 2015 through 2025. Its retirement matters for two specific reasons. First, examiners across all four agencies (OCC, FDIC, Federal Reserve, NCUA) will increasingly use NIST CSF 2.0 language and function categories in examination findings. Institutions that still organize their cybersecurity program around CAT maturity levels and CAT declarative statements may have a harder time mapping examination feedback to their internal program structure. Second, NIST CSF 2.0 added the Govern function, which the original 2014 framework did not include. That function covers cybersecurity governance, organizational context, and risk strategy, which maps directly to the URSIT Management component.

For most community banks, the CAT-to-NIST CSF 2.0 migration is not a wholesale rebuild. CAT declarative statements map reasonably well to the NIST CSF 2.0 Identify, Protect, Detect, Respond, and Recover functions. The Govern function additions require the most attention, particularly for governance bodies that have not formally documented their cybersecurity risk appetite or oversight structure. ABT's NIST CSF 2.0 Assessment for Financial Institutions covers the full framework transition including the Govern function gaps most community banks have not yet addressed.

Where Banks, Credit Unions, and Mortgage Companies Receive IT Findings

The OCC's 2025 Cybersecurity Report identified the most common IT deficiencies in community bank examinations. The NCUA's Annual Cybersecurity Report cited a substantially overlapping list for credit unions. The FTC's enforcement record under the Safeguards Rule shows a similar pattern for mortgage companies. None of the findings are surprising in isolation. The pattern matters: these categories appear across institution sizes, examination cycles, and regulator types, which means institutions are addressing them once and not sustaining the fix.

Legacy Systems: The Finding That Follows Your Institution

Legacy systems earn findings not because they exist but because they lack documented compensating controls. An institution running Windows Server 2019 in an isolated network segment with specific access restrictions and enhanced monitoring is in a defensible position. An institution running the same server with no documentation of why it is still in production, what controls limit its exposure, and when it will be replaced is not.

Before your examination, inventory every system running software past vendor end-of-life. For each one, document the business reason it has not been replaced, the compensating controls limiting its exposure, and the planned remediation timeline. That documentation converts a potential finding into a management decision with a plan. Examiners can accept a documented risk decision. They cannot accept an undocumented gap.

MFA Gaps: The Finding That Should Not Exist in 2026

Federal examiners across the OCC, FDIC, Federal Reserve, and NCUA have cited multi-factor authentication deficiencies in financial institution examinations consistently since 2020. By 2026, MFA for privileged access and remote access is a baseline expectation, not a leading practice. Yet it continues to appear in findings for one reason: MFA is deployed for general staff but not enforced by policy for administrative accounts, service accounts, and privileged role holders.

Microsoft Entra ID Conditional Access policies can enforce MFA for all privileged roles and all remote access sessions in a way that is documentable, auditable, and testable on demand. The gap examiners find is not a technology gap. It is a configuration gap. The technology to close it is already in your Microsoft 365 subscription.

Third-Party Vendor Management: Expanding Examiner Scrutiny

Federal examiners have expanded vendor management scrutiny significantly since OCC Bulletin 2020-10 updated the third-party risk management framework, with parallel guidance issued by the FDIC, Federal Reserve, and NCUA. For cloud vendors, examiners now expect current SOC 2 Type II attestation reports, not vendor-provided security questionnaires or a SOC 2 Type I. An outdated report from 18 months ago is insufficient for material vendors. For institutions evaluating their Microsoft 365 plan, the compliance tooling available for vendor documentation and eDiscovery varies across plans. Understanding which Microsoft 365 plan your institution should be on is part of the examination readiness picture.

Cloud Controls: What Federal Examiners Actually Check

OCC Bulletin 2020-46a established the OCC's cloud computing risk management expectations. The FDIC, Federal Reserve, and NCUA have all issued substantively aligned cloud guidance. In 2026, cloud is no longer a specialty topic in IT examinations. It is the primary operating environment for most banks, credit unions, and mortgage companies, including Microsoft 365 tenants, core banking vendor platforms, loan origination software, and document management systems.

When examiners review a financial institution's cloud environment, they are looking for evidence of six specific control categories. Microsoft 365 addresses all six natively, but the controls must be configured, not just licensed.

The Mortgage Company Equivalent: GLBA + GSE Counterparty Audits

Independent mortgage lenders and servicers do not receive FFIEC IT examinations. The FFIEC handbook does not apply to non-bank mortgage companies. But the IT control expectations apply through three different legal frameworks, all of which reference substantially the same control areas as the FFIEC handbook.

The FTC Safeguards Rule (16 CFR Part 314)

The Federal Trade Commission's Safeguards Rule is the primary federal cybersecurity requirement for non-bank mortgage companies. The 2023 amendment made several controls explicit: multi-factor authentication for any access to customer information (not just applications, but desktop and server access too), encryption of customer information in transit and at rest, written incident response plans with annual testing, and regular risk assessments. The Safeguards Rule applies to any institution that handles consumer financial information and is not regulated by a federal banking agency. That includes most independent mortgage lenders, mortgage servicers, mortgage brokers, and consumer finance companies.

CFPB Compliance Management System Examinations

The Consumer Financial Protection Bureau examines mortgage lenders and servicers under its Compliance Management System (CMS) framework. The IT and information security components of a CMS examination cover access controls, vendor management, data security, business continuity, and incident response. CFPB examiners do not use the FFIEC handbook directly, but they reference the same control categories. A mortgage company that meets FFIEC handbook expectations will satisfy the CFPB CMS IT review.

Fannie Mae, Freddie Mac, and Ginnie Mae Seller-Servicer Counterparty Requirements

The GSEs and Ginnie Mae impose IT controls on their seller-servicer counterparties through contractual agreements. Fannie Mae's Seller-Servicer Eligibility requirements include business continuity plans with disaster recovery procedures, internal audit and management controls independent of key functions, formal information security policies, and an Information Security questionnaire that counterparties must complete and update. Freddie Mac's Seller-Servicer Guide imposes similar IT control expectations. Ginnie Mae requires annual onsite audits of Document Custodians by seller-servicers. Failure to meet these contractual IT requirements can result in counterparty status review, which is more consequential than a regulatory finding because it directly affects the institution's ability to sell loans.

The practical takeaway for mortgage companies: build Microsoft 365 controls to FFIEC handbook expectations and you will satisfy the FTC Safeguards Rule, the CFPB CMS IT review, and the GSE counterparty audits in one configuration pass. The technical work is the same. The legal citations on the audit findings are different.

How Microsoft 365 Addresses Federal IT Examination Requirements

Audit Log Retention: The Gap Most Community Banks Discover at Examination

Federal banking regulators and FTC Safeguards Rule auditors expect audit logs retained for at least 12 months, accessible for examination on request, and covering all administrative and privileged access activity. Microsoft 365's default audit log retention for most Business Premium tenants is 90 days. That does not meet the 12-month expectation.

Microsoft Purview Audit Premium extends retention to 180 days at minimum, with customizable policies supporting 1-year or 10-year retention for specific log categories. For community banks on Microsoft 365 Business Premium, Microsoft Purview Audit Premium is available as an add-on. For institutions on E3, Microsoft Purview Audit Standard is included but retention defaults to 90 days. The premium audit tier is a separate licensing decision for both plans.

This is also one of the URSIT Support and Delivery items examiners test with a specific documentation request. They will ask you to produce audit logs covering privileged access events for the prior 12 months. If you cannot produce 12 months of logs, you have a finding before the examination formally begins. Closing this gap before the examination takes less than a day to configure and a few months to build the log history.

The FFIEC Control Stack Inside Microsoft 365

The pattern across the FFIEC IT Examination Handbook is that most modern access control, audit, and vendor oversight obligations resolve to specific configurations inside Microsoft 365. Microsoft Purview is the layer that meets the audit-trail and recordkeeping bar: Microsoft Purview Audit produces the time-stamped log of every create, modify, and delete action across Exchange Online, SharePoint Online, OneDrive, Teams, and Microsoft Entra ID; Microsoft Purview Audit Premium extends retention to the 12-month floor examiners ask for, with the option to extend to ten years for specific log categories; Microsoft Purview Data Loss Prevention applies the encryption-and-handling controls that satisfy the FTC Safeguards Rule customer-information protection requirements; and Microsoft Purview retention and sensitivity labels bind tamper-evident retention to the mailboxes, sites, and channels where regulated communications live. Microsoft Entra ID covers the identity side: Conditional Access policies in Grant mode enforce MFA for privileged roles and remote access; Identity Protection sign-in risk policies feed into the access-controls examiner review; Privileged Identity Management (PIM) gives the just-in-time admin elevation pattern examiners increasingly look for during URSIT Support and Delivery scrutiny; and Microsoft Entra ID lifecycle workflows produce the deprovisioning trail examiners test against departure dates. Microsoft Intune covers the device side: enrollment baselines with BitLocker, Defender Antivirus, OS patch level, and password complexity all roll up into the device-compliance view that examiners now request alongside the access-controls review. Microsoft Defender for Office 365 and Microsoft Defender for Endpoint handle the active threat detection side that feeds OCC Bulletin 2020-10 third-party-risk and Regulation S-P incident response evidence requirements. The capability is in the platform. The configuration is the work.

How ABT Operationalizes Microsoft 365 for Examiner-Ready Evidence

Microsoft Entra ID, Microsoft Purview, Microsoft Intune, Microsoft Defender, and Microsoft Sentinel are inside your Microsoft 365 subscription. Configuring them so an examiner can verify the URSIT Support and Delivery controls in ten minutes is the operating work. That operating work is what M365 Guardian covers. Guardian is ABT's operating model for Microsoft 365 in regulated financial institutions: a deployed baseline of 80 policy templates across 11 configuration categories mapped to OCC Bulletin 2020-46a, equivalent FDIC/Fed/NCUA cloud guidance, the FTC Safeguards Rule, and GSE seller-servicer counterparty requirements. Conditional Access in Grant mode for every privileged role. Microsoft Purview Audit Premium retention configured to 12 months or longer with documented policies. Intune compliance policies covering OS version, BitLocker, Defender Antivirus, and patch level for every enrolled device. Defender for Office 365 anti-phishing and Safe Attachments policies in enforcement mode. Microsoft Sentinel aggregating signals across the stack into a single incident timeline that doubles as Regulation S-P 30-day customer notification evidence. ABT applies these configurations, monitors them between examinations to surface drift, and produces the cross-tenant evidence pack that examiners request, including the 12-month audit log lookback, the Conditional Access policy inventory, the SOC 2 Type II attestation file, and the device compliance posture report. That operating model runs across the 750+ FI footprint ABT manages today, which is why the same Microsoft 365 controls that pass an OCC examination at a community bank also pass an NCUA examination at a credit union and a CFPB CMS review at a mortgage company. The technical work is the same. The legal citations on the findings differ. The evidence pack is portable across the regulators.

Access Provisioning: The Gap You Cannot See Until Examination

Examiners across all four federal banking regulators now specifically review whether access provisioning and deprovisioning processes are automated or documented. The question is not just whether terminated employees lose access. It is whether your institution can demonstrate, with records, that access was revoked on a specific date for every departure. Manual processes that work reliably 95% of the time create a stale access exposure in the remaining 5%, and that 5% is exactly what examiners find in log reviews.

Microsoft Entra ID lifecycle management, combined with access reviews configured in Microsoft Entra ID Governance, provides the automated provisioning and deprovisioning trail federal examiners expect. M365 Guardian deploys these configurations as part of the standard Microsoft 365 tenant setup for regulated financial institutions. For institutions evaluating where to start on cloud governance, the AI and Copilot Readiness Assessment includes an evaluation of the cloud control configuration that aligns directly with federal examination expectations.

Building Your IT Examination Readiness Program

Federal IT examination readiness is not a project you complete before each examination. It is a configuration management discipline you maintain between examinations. The institutions that consistently receive strong URSIT ratings are not the ones that scramble to prepare. They are the ones that keep their configurations aligned with examiner expectations year-round.

The following five steps are structured around the Microsoft 365 control areas examiners review most frequently for banks, credit unions, and mortgage companies. Each step is testable before the examination, so you know where you stand before examiners do.

5-Step Microsoft 365 Federal IT Examination Readiness Review

Confirm that Microsoft Purview Audit is enabled for your tenant and that your retention policies cover at least 12 months for administrator activity, privileged role access events, and mailbox access logs. Run a test query pulling privileged role activity for the prior 12 months. If you cannot produce results covering the full 12-month window, you have a gap to close before the examination. This is the single most common audit log finding in community bank IT examinations.

Review your Microsoft Entra ID Conditional Access policies and confirm that MFA is enforced (Grant mode), not just enabled (Report-Only mode), for all Global Administrator, Privileged Role Administrator, and Security Administrator roles. Confirm that all remote access pathways require MFA. Document each policy by name, creation date, and the role or user group it covers. Examiners will ask for this documentation by name, not just ask whether MFA is deployed.

Pull your Microsoft Intune device inventory and document enrollment coverage, compliance policy assignment, and managed device status for all bank-issued devices. Examiners now ask specifically about BYOD controls and whether personal devices accessing financial institution systems are enrolled in mobile device management or subject to mobile application management policies. A device inventory that shows unmanaged personal devices accessing Microsoft 365 without policy enforcement is a finding in the access control category.

Verify that your domain has SPF, DKIM, and DMARC records configured and that your DMARC policy is at minimum p=quarantine, ideally p=reject. Examiners increasingly cite email authentication gaps as a phishing control deficiency. DMARC at p=none is a monitoring mode setting, not an enforcement setting, and examiners treat p=none as an open finding for institutions that have had it in place for more than six months without progressing to enforcement.

Build or update your vendor inventory to include the SOC 2 Type II report status for each material cloud vendor, with the report date and the report period it covers. For Microsoft 365 specifically, the current SOC 2 Type II report is available on the Microsoft Service Trust Portal at servicetrust.microsoft.com. Download the current report and file it in your vendor management records. Examiners will ask for this document by name. If you cannot produce a current (within 12 months) SOC 2 Type II for your material cloud vendors, that is a vendor management finding.

Frequently Asked Questions

Justin Kirsch

CEO, Access Business Technologies

Justin Kirsch is CEO of Access Business Technologies, a Tier-1 Microsoft Cloud Solution Provider that manages Microsoft 365 tenants for 750+ financial institutions. ABT works with community banks, credit unions, and mortgage companies to align Microsoft 365 configurations with FFIEC examination requirements (OCC, FDIC, Federal Reserve, NCUA) and the FTC Safeguards Rule plus GSE counterparty audits for mortgage companies. ABT has served financial institutions for over 25 years from its headquarters in Folsom, California.