FFIEC Exam Cycle · Banking

What FFIEC Examiners Are Flagging on Scan-to-Email in 2026

Five examiner-cycle patterns from the 2026 FFIEC exam season. None named scan-to-email. All flagged it. The five-minute self-test you can run before your next exam.

Author: Karl Falk, CEO, Botdoc
Published:
Reading time: ~8 min

Three banks asked me the same question this quarter.

"If our scan-to-email gap is real, why hasn't our audit firm asked about it yet?"

The answer is structural, not negligence. And the structure changed in 2026 in a way most banks haven't tracked.

Across the 2025-2026 FFIEC exam cycle, five examiner patterns are surfacing the scan-to-email gap. None of the examiners are filing findings under "scan-to-email." All five findings, when read carefully, are flagging the same path. This post walks through what those patterns are, why they map to scan-to-email even when the term is not used, and the five-minute self-test you can run before your next exam.

1. Asset inventory completeness

The FFIEC AIO (Architecture, Infrastructure, and Operations) booklet, published in June 2021, introduced a level of asset-inventory specificity that the older Information Security booklet did not have. The newer booklet expects an institution to enumerate networked devices that originate or transmit customer information. That includes multifunction printers.

What examiners are flagging in 2026: an asset inventory that does not list the bank's MFP fleet by model and firmware version. The finding goes in under asset inventory completeness. The underlying control failure is that the device class is invisible to the institution's security program.

Most community banks treat MFPs as facilities-managed devices. They show up in the print-MSP billing report. They do not show up in the IT asset inventory. The split is rational, until the AIO booklet arrives. Architecture as asset is the lesson the Cl0p MFT case reinforced for centralized products. The same lesson applies one layer down to the device fleet.

2. Encryption-in-transit demonstrability

GLBA Safeguards Rule 16 CFR 314.4(d) requires encryption in transit. The 2026 examiner read on this control is no longer satisfied with policy-level attestations. The newer expectation is that the institution can produce evidence of TLS negotiation on device-originated traffic during testing.

What examiners are flagging in 2026: "institution unable to produce evidence of TLS negotiation on device-originated traffic." Phrased that way, the finding does not name scan-to-email. It names a missing log. The log is missing because the device's mail-relay traffic is not going through the institution's TLS-enforcing email gateway. It is going direct from the device.

The substance of the finding is similar to 2024-era findings on encryption controls. The bar is different. The 2026 finding requires logs, not policy.

3. Sender authentication

Scan-to-email on most older MFP deployments uses a default SMTP-AUTH credential stored on the device, often shared across the entire fleet. The credential is recoverable from the device's configuration backup, which some firmware versions print as plain text. Several active CVEs sit on this exact path. The CVE breakdown covers the specific exploit chains.

Auditors and FFIEC examiners reading the 2026 cycle are probing sender authentication as a discrete control, not as part of email security generally. A device that authenticates to the institution's mail relay using a single shared credential, with no per-device or per-user identity, fails this control even when no examiner names "scan-to-email."

This pattern catches more institutions than the prior two combined. The credential model on most MFP fleets predates current sender-authentication expectations.

4. DLP coverage

Most institutions deploy data-loss-prevention controls on outbound email through the corporate email gateway. The control register for DLP almost always reads "outbound email scanning enforced." That is true for traffic flowing through the gateway.

What it is not true for: traffic that bypasses the gateway. MFP scan-to-email frequently bypasses, because the device is configured to relay through a mail server directly, sometimes through a configuration set up years ago by a copier vendor or facilities contractor. The DLP control, as registered, is operating effectively. The traffic class it does not see is invisible to it.

The 2026 examiner question is not "do you have DLP?" The question is "does your DLP see all customer-information transmission paths?" The answer for most community banks is "all that we know about."

5. Vendor-management documentation

FFIEC vendor-management expectations, codified in the Outsourcing Technology Services booklet and reinforced in 2025-2026 examiner guidance, expect institutions to maintain documentation of third-party data-handling. Print-MSP and copier-OEM relationships frequently fall outside the institution's vendor-management register because the print contract is owned by Facilities, not IT or Compliance.

What examiners are flagging in 2026: an MSP relationship that handles customer-information-bearing devices but is not documented in the institution's vendor-risk-management program. The finding does not name scan-to-email. It names a missing vendor file.

What changed in 2026

Three independent signals converged.

First, the AIO booklet language is now load-bearing in examiner training. Second, the CISA advisories on Cl0p MOVEit and GoAnywhere reinforced testing methodology that examiners are now applying to device-originated traffic. Third, audit-firm questionnaires for the 2026 cycle now routinely include device-level transmission-demonstrability prompts that did not exist in 2024.

The remediation language reads similar to prior years. The audit-firm read on the institution's response is different. Where a 2024 response pointing to policy controls was adequate, the 2026 response often is not. Audit firms see the new language ahead of the regulators. The auditor page on this site walks through the framework in the language audit firms and examiners are using.

The five-minute self-test

You can run a five-minute version of what your auditor or examiner will run in the next exam. Pick three devices. For each device, capture:

  • The device's mail-relay configuration (IP and port of the mail server it sends to)
  • The SMTP-AUTH mode (plaintext, CRAM-MD5, none, or stored credential)
  • The TLS negotiation status (whether the device negotiates STARTTLS or sends in cleartext)
  • The address-book LDAP query mode (whether queries go anonymous or with bound credential)
  • The credential storage in the device's configuration backup

The trace template that runs this is local. No data leaves your network. It is the same set of checks an auditor or pen tester would run, condensed for the bank IT team to run pre-exam. The full finance-vertical overview has the bank-buyer framing of this and the persona-tailored guidance.

Three devices in five minutes. If all three pass, expand the trace to ten more. If any fail, you have a documented gap to remediate ahead of the next exam, and a paper trail for your audit firm that the institution found and addressed it before they did.

The 30-minute story

One community bank ran the trace template on three devices in their main branch. The trace took 30 minutes including device access. It found that two of three devices were sending unencrypted SMTP, and the third was using a stored credential that was identical across the fleet.

What the institution's last three audit cycles had not surfaced, the trace surfaced in 30 minutes.

The remediation took two weeks. The audit-firm conversation that followed was straightforward, because the institution arrived with documented evidence of the gap and a remediation timeline. The next exam findings on encryption-in-transit and sender authentication came back clean.

Three things to do this week

First, run the five-minute self-test on three devices. The configuration data is enough to know whether you have a 2026-cycle finding waiting.

Second, read the auditor page on this site for the framework in the language your audit firm and your examiner will recognize. Send the link to your audit team.

Third, look at how your current vendor-management register handles the print MSP and copier OEM. If those relationships are not documented as vendor files, that is the cheapest 2026 finding to fix before exam day. Add the vendor records and the device list.

The 2026 exam cycle has been running since January. The patterns above are surfacing now. Better to find them on your timeline than on the examiner's.

Next step

Get the Audit Gap Handler

The 4-page field brief on why MFP scan-to-email never made the FFIEC IT examination handbook, what is changing in 2024 to 2026, and how forward-thinking institutions are closing the gap. Lands in your inbox within 60 seconds.

Get the Audit Gap Handler