Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
FFIEC · IT examination · CAT maturity · InTREx

Your IT examination is six weeks out.

Federal-examined banks and credit unions get tested against the FFIEC IT Handbook on a fixed cadence. Your examiner already has the question list. RiskWatch builds your answers continuously so “preparing for examination” stops being a quarter of work.

  • FFIEC IT Handbook + Cybersecurity Assessment Tool (CAT)
  • InTREx framework + URSIT rating preparation
  • 9 examination domains scored continuously · OCC / FDIC / Fed / NCUA / CFPB aligned
  • For audit committee: cybersecurity maturity dashboard ready quarterly
Start 30-day free trialWatch 4-min platform tour
No credit card · FFIEC handbooks + CAT + InTREx ship day 1
app.riskwatch.com / ffiec
Live · CAT scored
CAT maturity · 5-domain composite
0/100
0 vs prior cycle
Cyber Risk Mgmt + OversightInnovative
Threat IntelligenceAdvanced
Cybersecurity ControlsIntermediate
Examination overdue8m
Handbook booklets
0 covered
CAT statements scored
0/494
FS-ISAC sharing
0%
Days to InTREx
0d
Top open CAT statements · by inherent risk
D3 · Continuous monitoring · 24/7 SOC
0d
D2 · Threat intelligence sharing
0d
D5 · Cyber incident testing cadence
0d
D4 · 3rd-party connections monitoring
0d
D1 · Board cyber-risk committee
0d
Trusted by community banks, credit unions, and bank holding companies preparing for IT examinations
BAIThe Coca-Cola CompanyBoseTE ConnectivityIberdrola USAPfizerWorldAwareXPO LogisticsBAIThe Coca-Cola CompanyBoseTE ConnectivityIberdrola USAPfizerWorldAwareXPO LogisticsBAIThe Coca-Cola CompanyBoseTE ConnectivityIberdrola USAPfizerWorldAwareXPO Logistics
What it is

What is FFIEC compliance software?

Your IT examination starts on a fixed cadence. The examiner already has the question list. RiskWatch builds your answers continuously across the FFIEC IT Handbook + Cybersecurity Assessment Tool + InTREx framework, scores 9 examination domains across all five regulators (OCC, FDIC, Fed, NCUA, CFPB), and produces the audit-committee maturity dashboard before the regulator asks. Examination week stops being a quarter of work.

Why teams move to RiskWatch

Examiners arrive with a checklist. You don't have a copy.

Community bank IT compliance is the asymmetric-information problem. The FFIEC handbook is public, but the examination procedures examiners use vary by agency, by examiner, by year. Even the FDIC's OIG found in a 2023 report that InTREx itself has gaps. Here's where small banks actually lose points.

Pain #1

Examiners arrive with a checklist. You don't have a copy.

Examination procedures vary by agency and by examiner. The FFIEC IT Handbook is public, but the specific evidence requests are not. Pre-loaded examiner checklists by agency (OCC vs FDIC vs Fed vs NCUA vs CFPB), the questions and artifacts each examiner type asks for, organized by booklet.

Pain #2

Cyber threat landscape changes monthly. Your last InTREx was 18 months ago.

Examiners want active engagement with FS-ISAC and other information-sharing networks. Many community banks don't fully understand the specific threats they face, let alone share intelligence about them. FS-ISAC integration captures threat-intelligence ingestion as examiner-visible evidence. Quarterly threat-landscape briefings auto-generated for board reporting.

Pain #3

FFIEC CAT maturity drops every quarter you don't update.

The Cybersecurity Assessment Tool (CAT) scores 494 statements across 5 domains. Maturity isn't static, controls drift, new threats emerge. Continuous CAT scoring with quarterly re-baselining, integrated with your security tooling, examiners see a current maturity score, not a stale annual snapshot.

12+
FFIEC IT Handbook booklets
Architecture · Operations · BCP · InfoSec · more
494×
CAT statements across 5 domains
Cyber Risk Mgmt · Threat Intel · Controls · Dependency · Cyber Incident
5
Examiner agencies covered
OCC · FDIC · Fed · NCUA · CFPB
The FFIEC platform

Every module a bank IT examination needs, in one platform.

Built around the IT Examination Handbook + Cybersecurity Assessment Tool. Pre-loaded examiner checklists per agency. FS-ISAC integration for the threat-sharing examiners now expect.

FFIEC Dashboard

CAT + handbook posture

Per-domain CAT maturity, top open statements, examination countdown, FS-ISAC sharing rate.

IT Handbook Library

All booklets pre-loaded

Architecture · Operations · BCP · InfoSec · Outsourcing · Audit · Management · Development & Acquisition · Wholesale Payment Systems · Retail Payment Systems · E-Banking · FedLine.

CAT Maturity Scoring

All 494 statements

Per-statement scoring (Baseline → Innovative). Per-domain composite. Trend across cycles.

Authentication Supplement

Layered authentication + risk-based

FFIEC Authentication Supplement covering customer authentication + transaction monitoring.

FS-ISAC Integration

Threat sharing examiners expect

Ingest threat intelligence from FS-ISAC. Examiner-visible audit trail of intelligence consumption.

Examiner Checklists

Per-agency artifact requests

Pre-loaded artifact requests per agency: OCC vs FDIC vs Fed vs NCUA vs CFPB. Organized by handbook booklet.

InTREx Prep

FDIC IT examination ready

InTREx-aligned checklist + composite rating tracker. URSIT components covered (Audit · Management · Development · Support · Acquisition).

Cross-Framework

FFIEC + NIST CSF + NIST 800-53

FFIEC CAT mapped to NIST CSF 2.0 functions; handbook controls cross-walked to NIST 800-53.

Continuous Monitoring

Board cyber reporting

Quarterly cyber-risk reports for board cyber-risk committees per FFIEC oversight expectations.

BCP Module

Business Continuity booklet

BCP planning, testing, RTO/RPO tracking, third-party BCP coordination.

Vendor Risk

Outsourcing booklet alignment

FFIEC outsourcing-risk requirements: due diligence, contract, ongoing monitoring, termination.

Audit Trail

Examiner-grade

Timestamped log for every score change, evidence upload, examination response. Admissible for regulator review.

FFIEC CAT · 5 domains

From Baseline to Innovative.

The Cybersecurity Assessment Tool (CAT) scores 494 statements across 5 domains. Each statement has 5 maturity tiers: Baseline, Evolving, Intermediate, Advanced, Innovative. Examiners use CAT scoring to gauge cybersecurity maturity and to drive examination focus. RiskWatch ships with all 494 statements + tier scoring + per-domain composite + cross-mapping to FFIEC handbook booklets.

  • D1 · Cyber Risk Management & Oversight, governance, risk management, resources, training, culture
  • D2 · Threat Intelligence & Collaboration, threat intelligence, monitoring & analyzing, information sharing
  • D3 · Cybersecurity Controls, preventative, detective, corrective controls
  • D4 · External Dependency Management, connections, relationship management
  • D5 · Cyber Incident Management & Resilience, planning, detection, response & mitigation, escalation, resilience
See all 5 CAT domains
FFIEC CAT · 5 domains · maturity
D1
Cyber Risk Mgmt + Oversight
92%
D2
Threat Intelligence & Collaboration
84%
D3
Cybersecurity Controls
78%
D4
External Dependency Management
76%
D5
Cyber Incident Mgmt & Resilience
80%
AS
FFIEC Authentication Supplement
88%
BCP
Business Continuity booklet
90%
OUT
Outsourcing risk booklet
82%
All 494 CAT statements →Examiner-ready
One assessment
Control library
ISO 27001
SOC 2
HIPAA
NIST CSF
PCI DSS
GDPR
Cross-framework leverage

FFIEC + NIST CSF 2.0 + NIST 800-53.

FFIEC CAT statements cross-walk to NIST CSF 2.0 functions and NIST 800-53 r5 controls. Banks running FFIEC alongside SOC 2, PCI DSS, or GLBA Safeguards see overlap of 70-80%. RiskWatch maps every CAT statement and handbook booklet to its NIST counterpart.

  • NIST CSF 2.0, CAT D1 → CSF Govern; D2 → Identify; D3 → Protect/Detect; D4 → Govern.SC; D5 → Respond/Recover
  • NIST 800-53 r5, handbook controls map to 800-53 control families
  • PCI DSS v4.0.1, for payment-handling banks
  • GLBA Safeguards Rule, non-bank FIs and covered institutions
  • NYDFS Part 500, for NY-licensed FIs
5 examiner agencies

Each asks differently.

Item 1
OCC (national banks)

IT Risk Management Examination Procedures · supervisory framework

Item 2
FDIC (community banks)

InTREx examination · URSIT composite rating · Audit/Mgmt/Dev/Support/Acquisition

Item 3
Federal Reserve (BHCs)

Bank Holding Company supervision · IT examinations

Item 4
NCUA (credit unions)

ACET (Automated Cybersecurity Evaluation Toolbox) · examiner procedures

How it works

From CAT baseline to examination-ready in five stages.

Most banks complete CAT scoring in their first 4 weeks. Continuous CAT updates keep maturity current between examinations.

1
Stage 01·Week 1-2

Score CAT baseline

All 494 statements scored Baseline → Innovative. Per-domain composite calculated.

2
Stage 02·Week 3-6

Map handbook booklets

Architecture · Operations · BCP · InfoSec · Outsourcing booklets reviewed; controls implemented per booklet.

3
Stage 03·Continuous

FS-ISAC + threat sharing

Ingest threat intelligence. Document consumption. Quarterly cyber briefing for board.

4
Stage 04·Pre-exam (90 days out)

Examiner artifact prep

Per-agency artifact pack assembled. Examiner-aligned narrative review. Pre-exam tabletop walkthrough.

Stage 05·On-demand

Examination response

Examiner artifact requests answered with documented evidence. Composite rating assigned. Findings addressed in 30-day plan.

Customer stories

The FDIC InTREx that finished in 5 days, not 8 weeks.

Real community banks. Real CAT maturity scores. Real composite ratings.

The pre-loaded OCC artifact checklist saved us 200 hours on our last exam. Examiner asked for what we already had, in the format he wanted it.
TC
Theresa C.
CISO · Community bank · 1,800 employees · OCC-supervised
CAT composite
Advanced
↑ from Intermediate
InTREx prep
↓ 75%
8 weeks → 2 weeks
Time-to-deploy
5 weeks
first CAT cycle

FS-ISAC integration was the win. Our examiner explicitly asked for evidence of threat-intelligence consumption. We had it timestamped.

BD
Bryan D.
VP IT · Credit union · 600 employees

CAT scoring used to be a quarterly fire drill. Now it's continuous. Examiner saw a current Advanced maturity, not a stale Intermediate.

RV
Rita V.
ISO · Regional bank · 4,200 employees
Cross-mapped frameworks

Plus every framework banks run alongside FFIEC, cross-mapped.

Score one CAT statement, satisfy NIST CSF, NIST 800-53, GLBA, NYDFS 500. Most regulated banks run 4-5 frameworks simultaneously.

FFIEC IT Handbook
12+ booklets
FFIEC CAT
494 statements · 5 domains
FFIEC Authentication Supplement
Layered auth + risk-based
InTREx (FDIC)
Community bank exam
ACET (NCUA)
Credit union eval
NIST CSF 2.0
Cross-mapped
NIST 800-53 r5
Federal control catalog
GLBA Safeguards Rule
Bank infosec program
NYDFS Part 500
NY licensed FIs
PCI DSS
Payment-handling
BSA/AML
Bank Secrecy Act
OCC 2013-29
Third-party risk
SOX 404
Listed banks
+20 more
Custom on request
Free resources

Take RiskWatch home before you sign anything.

Three downloads. Build the FFIEC examination readiness business case.

Most popular
CAT Checklist · 32 pages
FFIEC CAT
5-Domain Maturity Checklist
PDF · 32 pages · CAT-aligned

FFIEC CAT 5-Domain Maturity Checklist

Thirty-two pages walking all 5 CAT domains with the 494 statements, tier-scoring rubric, and per-domain composite calculator.

  • All 494 CAT statements
  • 5-tier scoring rubric
  • Per-domain composite calculator
Get the checklist
Examiner Artifacts
Per Agency
OCC + FDIC + Fed Artifact Lists
Excel · 5-agency artifact tracker

FFIEC Examiner Artifact Lists

Pre-loaded artifact requests per FFIEC agency: OCC, FDIC, Federal Reserve, NCUA, CFPB. Organized by handbook booklet.

  • 5-agency artifact tracker
  • Per-booklet organization
  • Examiner-aligned narrative templates
Get the artifacts
Buyer's Guide
Buyer's Guide
FFIEC Compliance Platform
2026 Vendor Comparison
20-page PDF

FFIEC Platform Buyer's Guide

Vendor scorecard, CAT-tracking depth, FS-ISAC integration, examiner-checklist coverage, pricing.

  • Feature matrix · 6 vendors
  • Examiner alignment scorecard
  • Pricing benchmarks
Get the guide
FAQ

Common questions, answered up front.

About FFIEC IT examinations, CAT maturity, the Authentication Supplement, InTREx, and how RiskWatch covers all of them.

What is FFIEC compliance software?
FFIEC compliance software is a platform that helps banks, credit unions, savings associations, and bank holding companies prepare for and pass IT examinations conducted by the FFIEC member agencies, OCC, FDIC, Federal Reserve, NCUA, CFPB. It centralizes the FFIEC IT Examination Handbook booklets (Architecture, Operations, BCP, InfoSec, Outsourcing, Audit, Management, Development & Acquisition), the Cybersecurity Assessment Tool (CAT) maturity scoring across 5 domains and 494 statements, the FFIEC Authentication Supplement, and the documentation that examiners request during examinations.
How does the Cybersecurity Assessment Tool (CAT) work?
The CAT scores 494 statements across 5 domains: Cyber Risk Management & Oversight, Threat Intelligence & Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management & Resilience. Each statement has 5 maturity tiers (Baseline, Evolving, Intermediate, Advanced, Innovative). Examiners use CAT scoring to gauge cybersecurity maturity. Most banks should target Advanced overall with Innovative on critical domains.
How do FFIEC examination agencies differ?
Each FFIEC agency examines its own regulated entities with its own procedures: OCC examines national banks; FDIC examines state non-member banks via InTREx (Information Technology Risk Examination); Federal Reserve examines bank holding companies and state member banks; NCUA examines credit unions via ACET; CFPB focuses on consumer financial services. The IT Handbook booklets are shared but examination procedures vary by agency. RiskWatch ships pre-loaded artifact checklists per agency.
What is InTREx?
InTREx (Information Technology Risk Examination) is the FDIC's framework for examining IT risk at state non-member banks. It uses URSIT composite rating components: Audit, Management, Development & Acquisition, Support & Delivery. The FDIC's OIG flagged in 2023 that InTREx itself has gaps; examiners are pushing for stronger documentation and threat-sharing evidence. RiskWatch maps to URSIT components.
Is there a free trial?
Yes. The 30-day free trial includes full access, all FFIEC IT Handbook booklets, all 494 CAT statements, the Authentication Supplement, FS-ISAC integration, per-agency artifact checklists, and cross-mapping to NIST CSF + NIST 800-53.
Ready for your next IT examination?

Score your CAT this week. All 494 statements.

Start a 30-day free trial, all FFIEC IT Handbook booklets, CAT maturity, Authentication Supplement, FS-ISAC integration, and per-agency artifact checklists. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime

Request a Demo