Tech Time: FFIEC’s Revised Architecture, Infrastructure and Operations Booklet

In June of 2021, the Federal Financial Institutions Examination Council released an updated technology handbook that focuses on architecture, infrastructure and operations.

The “Architecture, Infrastructure, and Operations” booklet (referred to as AIO) is one of a series that comprise the larger IT handbook. It focuses on enterprise-wide, process-oriented approaches that relate to the design of technology within the overall business structure, implementation of IT infrastructure components, and delivery of services and value for customers. This new booklet replaces the previous one developed in 2004 and an update was long overdue. Technology has evolved tremendously, and as a result, the way we design, build and manage our technology is far more important.

It’s not often that I define regulations as exciting, but as a technology company, we were excited to see the modernization of thought that went into this new release. Specifically, we like that:

1. Technology governance is prioritized from the top down.
2. Architecture must support the credit union strategy.
3. Operations is well defined, explaining what a credit union must do to maintain and manage the environment.
4. Innovation and contemplation of evolving technologies is defined.
5. Cybersecurity is embedded into architecture and design.

Credit unions today are technology organizations, they have the huge responsibility of managing the most sensitive data of their members while delivering a technology experience that is innovative. The protection of member data, and the transformation of the member experience, cannot be achieved without a technology strategy that is radically different. Technology no longer plays a secondary supporting role; instead, it is the lead role and needs to be ingrained from the top down.

At Think|Stack, we have spent 10 years perfecting our design framework and processes to help organizations create a technology strategy that empowers transformation and innovation through integration with the human experiences of the members and employees. And for the first time, the FFIEC seems to have embraced this concept. We are excited to see the guidance they are delivering, because we know that this is what our industry needs.

Technology Governance

Technology governance starts at the top. Under the new guidance, the board and executive team are required to take a more active role in the technology process.

“The board is responsible for overseeing, and senior management is responsible for implementing and maintaining, a safe and sound operating environment that supports the entity’s goals and objectives and complies with applicable laws and regulations. Management should establish responsibility and accountability for the administration of the day-to-day functions of the IT environment.”

Some are intimidated to govern that in which they are not experts, but with a good communication and education process, those in these roles can oversee technology effectively. We always encourage clear delineations and definitions of roles within teams, developing education for those specific roles then creating more reporting, with regular reports from IT teams and partners.

Architecture Must Support Strategy

In the past, credit union IT departments were building IT based on best practices. While this sounds effective, it often can be a departure from the needs of your specific organization. There is rarely a one-size-fits-all approach that works, and the results of this approach were IT constraints and delays or derailment of strategic initiatives, because the systems couldn’t support the change.

With the speed of change and volatile world we live in, this can no longer be the case—technology must empower change and innovation, not be the anchor preventing it. To do this, leaders need to reconsider how they design, starting with the credit union’s strategy, values and requirements. With the strategy defined, the leadership team must work with the IT team and vendor partners to design an architecture that will empower the strategy.

The planning process must involve senior management who should define the responsibilities to enable personnel to work toward achieving enterprise-wide business and strategic plan objectives. Management must understand the impact of IT on the plan and must make changes to the IT team if it is not prepared to support the current and future objectives.

This requires management to be more involved and may mean additional third-party resources are needed to help identify the architecture and communicate effectively between all stakeholders. IT operations must be balanced to support current operations and support future business unit growth.

IT Operations

Building a strong architecture is no longer enough. Organizations must have the talent to maintain, secure and enhance that architecture constantly. The rate of change, the frequency of cyberattacks and the need for constant innovation means you must have a team that is prepared to support the growing environment. The roles are clearly identified in the AIO, and many credit unions will need to supplement internal IT staff with third-party partners who can fill these roles. But the credit union must properly fill these roles and ensure the processes and maintenance required therein are being met. Organizations that can perform these tasks, via the defined roles, will build a nimble team that is prepared to support the organization into the future, keeping it secure along the way.

Evolving Tech

The AIO does a great job of identifying some of the evolving tech that needs to be discussed today. More importantly, it contemplates how to manage the review of these technologies into perpetuity. Fintech competitors are using such evolving technologies to build excellent experiences, and credit unions must do the same—and have a process for continuous innovation that it is well defined.

Security

Lastly, the importance of security, in design and governance, is well established. The AIO discusses things like Zero Trust architecture, which is a process of designing systems to trust nothing, inspect everything and limit access to only that which is necessary. These fundamental architectural changes, built with strong governance and involvement from the executive team, will go a long way in preparing for secure credit unions.

All credit unions should take the time to read the revised AIO handbook. Unlike other IT regulatory guides, this one is built for executives and boards and is a chance to modernize credit unions. To compete with fintechs, credit unions must become  tech-first organizations that think, breathe and strategize technology—IT needs to be brought out of the data center and into the boardroom.

Chris Sachse is CEO of CUES Supplier member Think|Stack, Baltimore, a managed IT services CUSO specializing in cloud and cybersecurity solutions for credit unions and non-profits. He can be reached at chris@thinkstack.co. For more information about digital transformation, cloud adoption and cybersecurity practices that improve member experiences while protecting member data, visit www.thinkstack.co.