Does FFIEC explicitly require phishing simulation?

FFIEC's Information Security booklet does not name 'phishing simulation' as a discrete control, but it requires a security awareness training program that addresses social engineering, includes periodic testing and produces documented results. Phishing simulation is the standard mechanism financial institutions use to satisfy the testing component. Examiners (OCC, FDIC, NCUA, Federal Reserve and state regulators) routinely cite phishing simulation programs as evidence - and absence-of-testing as a finding - in their examination workpapers.

How does the FFIEC Cybersecurity Assessment Tool (CAT) measure awareness training?

The CAT scores institutions across five maturity tiers (Baseline, Evolving, Intermediate, Advanced, Innovative) on awareness and training. Baseline = annual training delivered; Evolving = continuous training with phishing tests; Intermediate = targeted role-based training plus simulation results tied to risk metrics; Advanced = behavior-based program with measurable risk reduction; Innovative = adaptive content driven by threat-intelligence integration. Most regulated institutions target Intermediate or Advanced for cyber-resilience expectations; the gap between Baseline and Intermediate is closed primarily by adding continuous phishing simulation.

How often must banks conduct security awareness training under FFIEC?

FFIEC's Information Security booklet expects training at least annually for all personnel with access to information systems, with role-based reinforcement for privileged staff. The implicit standard for the testing component (phishing simulation) is continuous - examiners increasingly write findings against institutions that test only annually. The defensible cadence is monthly phishing simulations with quarterly trend reporting, and an annual comprehensive training module covering policy, incident response and reporting channels.

What evidence does an FFIEC examiner want to see?

The standard examination workpaper request includes: (1) the written awareness training policy approved by the board or designated risk committee; (2) the training curriculum and how it maps to the institution's risk profile; (3) records of training delivery per employee with completion dates; (4) phishing simulation results across the examination cycle (typically 12-18 months); (5) documented response when click rates exceeded thresholds; (6) evidence that issues identified in prior exams were remediated. Examiners increasingly compare year-over-year phishing simulation trend lines as a maturity indicator.

Does FFIEC differ from GLBA Safeguards Rule for awareness training?

GLBA Safeguards Rule (16 CFR 314) applies broadly to financial institutions including non-bank covered entities (auto dealers offering financing, mortgage brokers, etc.) and requires a written information security program with employee training. FFIEC supervises depository institutions specifically and provides more prescriptive examination guidance. The training expectations align - annual policy-driven training plus continuous testing - but FFIEC examiners are generally more demanding on evidence quality and trend analysis than FTC examiners under the Safeguards Rule. Banks subject to both effectively need to satisfy the FFIEC bar; the GLBA bar is satisfied as a byproduct.

Does the OCC's Heightened Standards or NYDFS Part 500 add more on top of FFIEC?

Yes for the institutions in scope. OCC Heightened Standards (12 CFR 30 Appendix D) requires large-bank covered institutions to maintain a robust risk-governance framework that explicitly includes cybersecurity training as part of operational risk. NYDFS Part 500 (23 NYCRR 500) requires annual cybersecurity awareness training for covered financial entities operating in New York; the 2023 Part 500.14 amendment added explicit phishing-attack training language. Institutions covered by these layered requirements typically run a single phishing simulation program designed to satisfy the highest standard (NYDFS for NY-operating banks; FFIEC + OCC Heightened Standards for large national banks); evidence packets are sliced for each examination type.

FFIEC Phishing Training Requirements (2026)

FFIEC Phishing Awareness Training Requirements (2026)

By The Bait & Phish Team
Compliance, FFIEC, Banking, CAT

FFIEC examinations are the load-bearing supervisory event for banks, credit unions, savings associations and other US-regulated depository institutions. The Information Security booklet of the FFIEC IT Examination Handbook is what examiners read before they show up; it is the operational checklist the institution is measured against. The awareness-training section is short on prescriptive language and long on outcomes - examiners want to see a working program with year-over-year evidence, not a policy on a shelf.

This post translates the FFIEC Information Security booklet expectations into a working phishing simulation program: where the prescriptive language lives, what the Cybersecurity Assessment Tool (CAT) measures, what evidence federal banking examiners want and how the requirements layer with NYDFS Part 500, OCC Heightened Standards and the GLBA Safeguards Rule for institutions in scope of multiple frameworks.

Where FFIEC's awareness-training expectations live

The primary text is the Information Security booklet of the FFIEC IT Examination Handbook, specifically the section on "Security Awareness and Training Programs." The expectations:

A documented program covering all personnel with access to information systems
Training delivered at least annually with role-based reinforcement for privileged users
Periodic testing of awareness through phishing simulations or equivalent mechanisms
Documented response when training reveals deficiencies
Board (or designated risk committee) oversight of the program

Each expectation is short. Each is also load-bearing under examination - examiners ask for evidence against every line.

The Cybersecurity Assessment Tool (CAT) maturity ladder

FFIEC's CAT is the operational ladder examiners use to score programs. The five maturity tiers for awareness and training:

Tier	What separates this tier
Baseline	Annual training delivered; documented; covers all personnel
Evolving	Continuous training cadence with periodic phishing tests
Intermediate	Role-based content; phishing simulation results tied to risk metrics; remediation training assigned
Advanced	Behavior-based program with measurable click-rate decline; threat-aligned simulation content
Innovative	Adaptive content driven by integrated threat intelligence; per-user risk scoring

Most regulated institutions target Intermediate or Advanced for cyber-resilience expectations. The gap between Baseline and Intermediate is closed primarily by adding continuous phishing simulation with auto-assigned remediation training - no other single program change moves an institution that far up the ladder.

What examiners actually want in the workpaper packet

The standard examination workpaper request:

Board-approved written policy - board (or designated risk committee) approval is non-negotiable. Officer-level approval is a frequent finding even when the program is otherwise mature.
Curriculum and risk mapping - the training content with documented mapping to the institution's risk profile (wire-fraud, ACH-impersonation, retail-customer-impersonation, vendor-impersonation patterns).
Training delivery records - per-user completion records with timestamps for the examination cycle.
Phishing simulation results - campaign-by-campaign records over the cycle (typically 12-18 months); click rate, training assignment rate, completion rate.
Threshold-exceedance documentation - events where click rate exceeded the institution's defined threshold and the program response. Examiners increasingly weight this as a maturity indicator.
Remediation evidence for prior-exam findings - if a prior examination identified gaps, the workpaper packet shows what changed and the supporting evidence.

How FFIEC differs from neighboring frameworks

For institutions running multiple compliance programs, the differences relative to the most-overlapping frameworks:

vs. SOC 2 - SOC 2 evidence (TSC mapping, completion records, effectiveness measurement) substantively satisfies FFIEC awareness expectations. FFIEC examiners are typically more demanding on board-approval evidence and YOY trend analysis than SOC 2 auditors. Many institutions that pass SOC 2 have findings on FFIEC examination because the same evidence is presented less rigorously.
vs. PCI DSS 4.0 - PCI 4.0 added continuous-testing language that aligns well with FFIEC expectations. Institutions that satisfy PCI 4.0 typically satisfy FFIEC, but PCI scope is narrower (cardholder data environment); FFIEC scope is the full institution.
vs. GLBA Safeguards Rule (16 CFR 314) - Safeguards Rule applies more broadly (auto dealers offering financing, mortgage brokers, etc.) and is enforced by FTC. FFIEC supervises depository institutions specifically with more prescriptive examination guidance. Banks subject to both effectively need to satisfy the FFIEC bar; GLBA is satisfied as a byproduct.
vs. NYDFS Part 500 - NYDFS Part 500.14 (amended 2023) explicitly added phishing-attack training language. NYDFS examiners are typically more aggressive on annual-training-completion documentation than FFIEC. Institutions operating in New York need to satisfy both; the program design is the same but the evidence packet is sliced for each examination type.
vs. OCC Heightened Standards (12 CFR 30 Appendix D) - applies to large-bank covered institutions; embeds awareness training as a component of operational risk under the broader risk-governance framework. Heightened-standards institutions need to demonstrate the awareness program is integrated with operational risk reporting, not just a standalone artifact.

Common findings in awareness-training examination workpapers

Patterns that show up repeatedly in FFIEC examination findings:

Policy approved at officer level rather than board or designated risk committee
Annual-only phishing testing - examiners increasingly write findings against "tested annually" programs as below the implicit standard
Training delivery documented but no documented response to threshold-exceedance events
Phishing simulation results not tied to the institution's risk profile (generic templates only)
Prior-exam findings not visibly remediated in the current workpaper packet
Role-based training documented but not differentiated for privileged users
Vishing / SMS phishing not addressed in the program (FFIEC supplements have explicitly raised this expectation)

Each is procedural, not technical. The platform produces the records; the program design and policy specify what to do with them.

The practical program shape that satisfies FFIEC

For a typical regional bank or credit union:

Monthly phishing simulation across categories matching the institution's risk profile (wire-fraud, ACH-impersonation, retail customer impersonation, vendor-impersonation, credential phishing for M365/Workspace)
Multi-channel coverage - email + SMS + voice. Vishing is no longer optional given recent FFIEC supplement language.
Auto-assigned remediation training tied to lure category
Quarterly board (or risk committee) reporting with click-rate trend, training completion, threshold-exceedance documentation
Annual comprehensive training module covering policy, incident response procedures and reporting channels
Role-based reinforcement for treasury, IT admins, executives and customer-service staff handling sensitive transactions

That program shape advances most institutions to Intermediate or Advanced on the CAT maturity ladder and produces the workpaper evidence examiners want without requiring separate effort.

For finserv buyers in the broader financial-services context

Banks and credit unions operate within a layered regulatory environment that goes well beyond FFIEC alone. The financial-services phishing awareness deep-dive covers the broader stack - trading-desk specific lures, treasury wire-fraud patterns, PCI DSS 4.0 if cardholder data is in scope, and the cyber-insurance angle that has become a load-bearing renewal consideration. For non-bank financial entities (auto dealers offering financing, mortgage brokers, money services businesses), the GLBA Safeguards Rule applies but FFIEC does not - the program design overlaps but the examiner is FTC, not OCC/FDIC/NCUA.

Where Bait & Phish fits

Bait & Phish is built for the operational profile FFIEC examiners look for: continuous monthly phishing simulation across email, SMS and voice; auto-assigned remediation training when users click; quarterly trend reports exportable to PDF for the board packet; per-user completion records with timestamps for examination workpaper. The 15+ years of operating history matters here - FFIEC-supervised institutions value vendors with track-record evidence over newer entrants. Start a 25-user free trial to validate the platform fits your FFIEC program design, or talk to us about a workpaper-evidence walkthrough mapped to FFIEC IS booklet sections.

This post is informational and does not constitute compliance, legal or examination advice. Specific FFIEC examination readiness, OCC/FDIC/NCUA preparation, NYDFS Part 500 scoping and GLBA Safeguards interpretation are organization-specific - consult your compliance counsel or examination preparation advisor for tailored guidance.

See also: Compliance Phishing Requirements Comparison for cross-framework evidence overlap, and CMMC for DoD suppliers as the parallel third-party-assessment-style framework on the federal-government side.

Related compliance guides

04may