Control 3.13: FFIEC IT Examination Handbook Alignment

Control ID: 3.13 Pillar: Compliance & Audit Regulatory Reference: FFIEC IT Examination Handbook (Information Security, Audit, Management, Operations Booklets), FFIEC Cybersecurity Assessment Tool (CAT) Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Map the FSI Copilot Governance Framework controls to the FFIEC IT Examination Handbook booklets and the FFIEC Cybersecurity Assessment Tool (CAT), enabling banking institutions to demonstrate that their Microsoft 365 Copilot governance practices align with FFIEC examination expectations and cybersecurity maturity benchmarks.

Why This Matters for FSI

The Federal Financial Institutions Examination Council (FFIEC) publishes the IT Examination Handbook, which provides guidance for examiners evaluating financial institutions' information technology practices. Banking institutions -- including national banks, state banks, savings associations, and credit unions -- are examined against these standards by their primary federal regulator (OCC, FDIC, Federal Reserve, or NCUA).

The FFIEC IT Examination Handbook consists of multiple booklets covering areas such as Information Security, Audit, Management, Operations, and others. When a banking institution deploys M365 Copilot, examiners will evaluate the institution's AI governance practices through the lens of these existing booklets. Demonstrating alignment between Copilot governance controls and FFIEC expectations helps reduce examination friction and supports favorable examination outcomes.

The FFIEC Cybersecurity Assessment Tool (CAT) provides a structured methodology for institutions to assess their cybersecurity maturity across five domains. Copilot deployment affects multiple CAT domains, and institutions should incorporate Copilot into their CAT self-assessment process.

This control is particularly important for community banks, regional banks, and credit unions that may be deploying Copilot for the first time and need to demonstrate to examiners that they have considered AI governance within their existing FFIEC compliance framework.

Control Description

This control provides comprehensive mappings between FSI Copilot Governance Framework controls and FFIEC IT Examination Handbook booklets, along with FFIEC CAT domain alignment guidance.

FFIEC IT Handbook Booklet Mapping

Information Security Booklet

FFIEC Requirement	FSI Copilot Control	Evidence
Risk assessment for new technologies	Control 1.1 (Copilot Readiness Assessment)	Pre-deployment risk assessment documentation
Access controls for information systems	Control 1.6 (Permission Model Audit), Control 2.x (Conditional Access)	Permission audit results, conditional access policy configurations
Data classification and handling	Control 1.5 (Sensitivity Labels), Control 2.x (DLP)	Sensitivity label taxonomy, DLP policy configurations
Encryption of sensitive data	Control 2.x (Sensitivity Labels with encryption)	Label configurations with encryption settings
Incident response for IT incidents	Control 3.7 (Regulatory Reporting), Control 4.x (Incident Response)	Incident response plan, tabletop exercise results
Vulnerability management	Control 1.10 (Vendor Risk Management)	Microsoft security review, vendor risk assessment
Security monitoring and logging	Control 3.1 (Audit Logging), Control 4.x (Sentinel Monitoring)	Audit log configuration, SIEM integration status
Third-party risk management	Control 1.10 (Vendor Risk Management)	Microsoft vendor assessment, subprocessor review
Security awareness training	Control 1.12 (Training and Awareness)	Training completion records, training materials

Audit Booklet

FFIEC Requirement	FSI Copilot Control	Evidence
IT audit program	Control 3.12 (Evidence Collection)	Copilot governance audit program documentation
Audit scope covers IT systems	Control 3.12, Control 3.1 (Audit Logging)	Copilot included in IT audit scope; audit log evidence
Independence of audit function	Control 3.12 (Evidence Collection)	Independent audit testing documentation
Audit trail integrity	Control 3.1 (Audit Logging), Control 3.11 (Record Keeping)	Audit log retention, WORM storage verification
Corrective action tracking	Control 3.12 (Evidence Collection)	Remediation tracker, finding resolution documentation
Board and management reporting	Control 3.7 (Regulatory Reporting), Control 3.12	Compliance committee reports, management attestations

Management Booklet

FFIEC Requirement	FSI Copilot Control	Evidence
IT strategic planning	Control 1.1 (Readiness Assessment), Control 1.11 (Change Management)	Copilot deployment strategy, governance committee charter
IT governance structure	Control 3.6 (Supervision), Control 3.8 (Model Risk)	AI governance committee charter, supervisory designations
Policies and procedures	Control 3.6 (WSPs), Control 3.5 (FINRA 2210)	Copilot usage policies, written supervisory procedures
Risk management process	Control 3.8 (Model Risk Management)	MRM documentation, risk assessment results
Business continuity planning	Control 4.x (BC/DR)	Copilot business continuity plans
Project management for IT initiatives	Control 1.11 (Change Management)	Copilot deployment project documentation
Service level management	Control 1.10 (Vendor Risk Management)	Microsoft SLA review, performance monitoring
Performance management	Control 4.x (Analytics), Control 3.8 (MRM Monitoring)	Copilot usage analytics, output quality metrics

Operations Booklet

FFIEC Requirement	FSI Copilot Control	Evidence
IT operations management	Control 4.x (Feature Toggles, Per-App Config)	Copilot operational configuration documentation
Change management	Control 1.11 (Change Management)	Change control records for Copilot configuration changes
Capacity planning	Control 4.x (Cost Tracking), Control 1.9 (License Planning)	License allocation, capacity monitoring
Problem management	Control 4.x (Incident Response)	Copilot incident records, resolution documentation
Service desk support	Control 1.12 (Training), Control 4.x (Operations)	Copilot support procedures, user guidance

FFIEC Cybersecurity Assessment Tool (CAT) Alignment

The FFIEC CAT assesses cybersecurity maturity across five domains. Copilot governance intersects with each domain:

Domain 1: Cyber Risk Management and Oversight

CAT Declarative Statement	Maturity Level	Copilot Control Alignment
The institution has an AI/emerging technology risk management strategy	Evolving	Control 3.8 (Model Risk Management), Control 1.1 (Readiness Assessment)
Oversight of AI technology is assigned to qualified personnel	Evolving	Control 3.6 (Supervision), Control 3.8 (MRM -- designated model owner)
AI risk is incorporated into enterprise risk management	Intermediate	Control 3.8, Control 3.7 (Regulatory Reporting)
Board oversight includes AI technology risk	Intermediate	Control 3.12 (Management attestation), Control 3.7 (Board reporting)

Domain 2: Threat Intelligence and Collaboration

CAT Declarative Statement	Maturity Level	Copilot Control Alignment
Threat intelligence includes AI-related threats	Evolving	Control 4.x (Sentinel Monitoring), Control 1.10 (Vendor Risk)
Information sharing covers AI security concerns	Intermediate	Control 1.10 (Microsoft threat intelligence sharing)

Domain 3: Cybersecurity Controls

CAT Declarative Statement	Maturity Level	Copilot Control Alignment
Access controls protect AI tool access	Baseline	Control 1.6 (Permission Audit), Control 2.x (Conditional Access)
Data loss prevention covers AI interactions	Evolving	Control 2.x (DLP for Copilot)
Security monitoring includes AI activity	Evolving	Control 3.1 (Audit Logging), Control 4.x (Sentinel)
Incident response covers AI incidents	Evolving	Control 3.7 (Regulatory Reporting), Control 4.x (Incident Response)

Domain 4: External Dependency Management

CAT Declarative Statement	Maturity Level	Copilot Control Alignment
Third-party AI vendor risk is assessed	Evolving	Control 1.10 (Vendor Risk Management)
Cloud AI service agreements include security requirements	Evolving	Control 1.10 (Data processing agreements)
AI vendor performance is monitored	Intermediate	Control 3.8 (MRM ongoing monitoring)

Domain 5: Cyber Incident Management and Resilience

CAT Declarative Statement	Maturity Level	Copilot Control Alignment
Incident response includes AI incidents	Evolving	Control 3.7, Control 4.x
Business continuity covers AI tool dependencies	Evolving	Control 4.x (BC/DR)
Recovery plans address AI tool disruption	Intermediate	Control 4.x (BC/DR)

FFIEC Examination Preparation Checklist

When preparing for an FFIEC IT examination that may cover Copilot:

#	Preparation Item	Control Reference
1	Copilot deployment risk assessment documentation	1.1
2	Data classification and sensitivity label documentation	1.5, 2.x
3	Access control and permission model documentation	1.6, 2.x
4	DLP policy configurations and testing results	2.x
5	Audit logging configuration and sample events	3.1
6	Retention policy configurations	3.2
7	Communication compliance policy configurations	3.4
8	Supervisory procedures (WSPs) addressing Copilot	3.6
9	Model risk management documentation	3.8
10	Vendor risk assessment for Microsoft	1.10
11	Training materials and completion records	1.12
12	Incident response plan (including Copilot scenarios)	3.7, 4.x
13	Evidence collection procedures and most recent evidence pack	3.12
14	FFIEC CAT self-assessment incorporating Copilot	3.13 (this control)

Copilot Surface Coverage

FFIEC alignment applies across all Copilot surfaces, as examiners evaluate the institution's comprehensive governance posture:

Copilot Surface	Primary FFIEC Booklet Concern	Key Examination Focus
All surfaces	Information Security	Access controls, data classification, monitoring
Outlook/Teams Copilot	Operations, Information Security	Communication governance, data handling
Word/Excel/PowerPoint Copilot	Management, Audit	Financial document governance, output controls
Microsoft 365 Copilot Chat	Information Security	Data access scope, permission enforcement
SharePoint/OneDrive Copilot	Information Security	Data classification, sharing controls
Copilot Pages	Operations, Information Security	Collaborative content governance

Governance Levels

Baseline

Complete the FFIEC IT Handbook mapping for all deployed Copilot governance controls, focusing on the most relevant booklets:
- Information Security (2016): Vendor contracts, access management, DLP, audit logs
- Architecture, Infrastructure & Operations (AIO) (2021): Primary AI reference; explicitly names AI/ML as a technology risk area
- Audit (2024): Audit expertise for AI tools, risk-based testing frequency, remediation tracking
- Management (2015): Board-level AI governance, vendor management oversight
- Note: The Operations booklet has been superseded by AIO (2021); no standalone FFIEC AI booklet exists as of March 2026
Include Copilot in the institution's existing FFIEC CAT self-assessment
Document Copilot governance in the institution's IT risk assessment, referencing AIO booklet examination procedures for AI/ML risk identification
Prepare basic examination documentation covering Copilot deployment and governance
Communicate Copilot governance approach to the institution's primary federal regulator if requested

FSI Note: Examiners are increasingly applying AIO examination procedures to AI tool deployments even without an AI-specific booklet. Document Copilot governance under the AIO framework explicitly.

Align evidence collection (Control 3.12) with FFIEC examination expectations, mapping to key examination procedures:
- Information Security: Verify vendor contract adequacy (Microsoft DPA, breach notification SLAs), access management controls (Copilot entitlement reviews), DLP policy coverage for Copilot content locations, UAL audit log completeness
- AIO (2021): Document AI risk assessment process, maintain AI tool inventory, include Copilot in vendor management program, monitor AI system performance and output quality
- Audit (2024): Confirm internal audit has access and expertise to test AI tool controls, apply risk-based testing frequency, track Copilot-related findings to remediation
Conduct annual FFIEC CAT self-assessment updates incorporating Copilot
Map all 54 FSI Copilot Governance Framework controls to applicable FFIEC booklet requirements
Create examiner-ready documentation organized by FFIEC booklet
Prepare for typical examiner documentation requests by maintaining these artifacts:
1. AI tool inventory (name, purpose, vendor, date deployed, risk classification, business owner)
2. Vendor management documentation (Microsoft due diligence reports, contracts, SLAs, DPA)
3. Risk assessment (use-case-specific: data types accessed, decision-making influence)
4. Acceptable use policy for Copilot and employee training records
5. Access control evidence (license assignment logs, entitlement review results)
6. Audit log configuration evidence (UAL enabled for Copilot interactions)
7. Data governance controls (retention policies, DLP policies covering Copilot content locations)
8. Incident response plan (procedures for Copilot-related data incidents)
9. Change management records (Message Center subscriptions, Copilot update tracking)
10. Training records (user training on Copilot acceptable use, data handling in AI interactions)
Conduct internal assessment against FFIEC expectations before examination
Update FFIEC alignment documentation when Microsoft updates Copilot capabilities
Train compliance staff on FFIEC examination procedures for AI technology

Regulated

Commission independent FFIEC readiness assessment for Copilot governance, covering all relevant booklets (Information Security, AIO, Audit, Management) and supplemental guidance (OCC Bulletin 2025-26, SR 11-7)
Maintain continuously updated FFIEC mapping documentation; in the absence of a standalone FFIEC AI booklet, rely on AIO (2021) + OCC Bulletin 2025-26 as the primary AI governance references
Implement automated evidence collection aligned with FFIEC examination request patterns, covering all 10 standard examiner documentation request categories (AI inventory, vendor management, risk assessment, AUP, access control, audit logs, data governance, incident response, change management, training records)
Prepare standing examination response packages organized by FFIEC booklet
Conduct annual mock examination for Copilot governance aligned with FFIEC procedures, including AIO-specific AI/ML examination scenarios
Integrate FFIEC CAT maturity targets into the Copilot governance roadmap
Document advancement plan for moving from Evolving to Intermediate maturity in CAT domains
Maintain examiner relationship documentation noting any AI-specific examination focus areas

Setup & Configuration

Step 1: Complete Initial FFIEC Mapping

Download or reference the current FFIEC IT Examination Handbook booklets:
- Information Security (2016, updated 2023)
- Audit (2003, updated)
- Management (2004, updated)
- Operations (2004, updated)
For each booklet section, identify requirements that apply to Copilot deployment
Map each requirement to the corresponding FSI Copilot Governance Framework control
Document coverage gaps where FFIEC requirements are not addressed by current controls
Develop remediation plans for coverage gaps

Step 2: Update FFIEC CAT Self-Assessment

Access the institution's most recent FFIEC CAT self-assessment
For each CAT domain, assess whether Copilot deployment changes the institution's:
- Inherent risk profile: Does Copilot increase the complexity, connectivity, or volume of technology usage?
- Cybersecurity maturity: Does Copilot governance improve or create gaps in cybersecurity maturity?
Update the CAT assessment to reflect Copilot:
- Domain 1 (Risk Management): Add Copilot to AI risk governance
- Domain 2 (Threat Intelligence): Include AI-specific threats
- Domain 3 (Controls): Confirm Copilot is covered by access controls, DLP, monitoring
- Domain 4 (External Dependencies): Add Microsoft Copilot as a vendor dependency
- Domain 5 (Incident Management): Include Copilot in incident response and BC/DR
Document the updated CAT assessment and present to the board or IT committee

Step 3: Create Examiner-Ready Documentation

Organize documentation by FFIEC booklet:

Information Security Package:

Copilot risk assessment summary
Access control documentation (permissions, conditional access, DLP)
Security monitoring configuration (audit logging, SIEM integration)
Incident response plan excerpt covering Copilot
Vendor security assessment (Microsoft)

Audit Package:

Copilot governance audit scope documentation
Audit trail configuration (audit logging, retention)
Evidence collection procedures and most recent evidence pack
Testing results (SOX 404, FINRA 3120)

Management Package:

AI governance committee charter and minutes
Copilot deployment strategy and risk acceptance
MRM documentation
Written supervisory procedures for Copilot
Training program documentation

Operations Package:

Copilot operational configuration documentation
Change management records for Copilot changes
License allocation and capacity planning
Support procedures and user guidance
Store packages in the evidence repository (Control 3.12) with regular update schedule

Step 4: Establish Ongoing FFIEC Alignment Review

Schedule annual FFIEC alignment review (recommend aligning with FFIEC CAT update cycle)
Assign responsibility for monitoring FFIEC handbook updates and AI-related examination guidance
Update mappings when:
- FFIEC publishes new handbook booklets or updates
- FFIEC issues new AI-related examination guidance
- FSI Copilot Governance Framework controls are added or modified
- Microsoft updates Copilot capabilities significantly
Document review outcomes and present to IT committee or board

Financial Sector Considerations

Community Bank Considerations

Community banks deploying Copilot may face unique FFIEC examination challenges:

Limited IT staff: Community banks may have smaller IT and compliance teams, making comprehensive FFIEC alignment more resource-intensive
Examiner familiarity: Examiners may be less familiar with Copilot-specific governance concerns; be prepared to explain Copilot architecture and governance
Proportionality: FFIEC expectations scale with institution size and complexity; community bank Copilot governance can be simpler while still meeting expectations
Shared services: Community banks using managed IT services should coordinate Copilot governance with their service providers

Credit Union Considerations

Credit unions examined by NCUA face similar FFIEC alignment requirements:

NCUA examiners use FFIEC guidance as a reference framework
Credit union supervisory focus on member data protection aligns with Copilot NPI controls
Shared branching and CUSO relationships may create additional Copilot data access considerations

Multi-Charter Institutions

Institutions with multiple charters (e.g., bank holding company with bank and broker-dealer subsidiaries) face overlapping examination requirements:

FFIEC examination for the bank entity
FINRA/SEC examination for the broker-dealer entity
Consolidated supervision by the Federal Reserve for the holding company

Copilot governance documentation should be organized to serve all examination audiences while maintaining consistency across entities.

FFIEC Interagency Guidance on AI

The FFIEC member agencies have issued joint guidance on AI technology. Institutions should monitor for:

Updates to the FFIEC IT Examination Handbook addressing AI
New FFIEC examination procedures for AI and LLM technologies
Interagency statements on AI risk management expectations
CAT updates incorporating AI-specific maturity indicators

Verification Criteria

#	Verification Step	Expected Outcome	Governance Level
1	Verify FFIEC mapping documentation exists	Mapping covers all applicable FFIEC booklet requirements for Copilot	Baseline
2	Verify Copilot is included in FFIEC CAT self-assessment	All five CAT domains reflect Copilot deployment	Baseline
3	Verify IT risk assessment includes Copilot	Risk assessment documents Copilot as an AI technology risk	Baseline
4	Review examiner-ready documentation packages	Packages organized by FFIEC booklet with current evidence	Recommended
5	Verify annual FFIEC alignment review is completed	Review documentation shows mapping updates and gap remediation	Recommended
6	Test examination response readiness	Copilot governance documentation producible within 2 business days of examiner request	Recommended
7	Verify independent FFIEC readiness assessment	Assessment completed with findings and remediation plan	Regulated
8	Review mock examination results	Mock examination completed with documented outcomes and improvements	Regulated
9	Verify CAT maturity advancement plan	Plan documents target maturity levels and timeline for advancement	Regulated
10	Verify multi-charter coordination	Documentation serves all applicable examination audiences consistently	Regulated

Additional Resources

FSI Copilot Governance Framework v1.2.1 - March 2026