I. INTRODUCTION
This article is a summary of several guidances for examiners, financial institutions and technology service providers, issued by the Federal Financial Institutions Examination Council (FFIEC) throughout 2003 and 2004. These guidances revised and replaced, through a series of updates, material originally published in the 1996 FFIEC Information Systems Examination Handbook (“1996 Handbook”). They address technological changes that have been made since 1996 and incorporate a risk-based examination approach. The entire collection comprises the new FFIEC Information Technology (IT) Examination Handbook. The chart below lists the revisions.
Current FFIEC Information Technology Examination Booklets
Rescinds FFIEC Information Systems Examination Handbook (1996 Version)
Management (Issued July 2004)
Chapters 9 & 11
Outsourcing Technology Services (Issued July 2004)
Chapter 22
Development and Acquisition (Issued May 2004)
Chapter 12
Information Security (Issued January 2003)
Chapters 14-16
Supervision of Technology Service Providers (Issued May 2003)
Chapters 2-7
Business Continuity Planning (Issued May 2003)
Chapter 10
Audit (Issued September 2003)
Chapter 8
Electronic Banking (Issued September 2003)
Not Applicable
FedLine (Issued September 2003)
Chapter 19
Retail Payment Systems (Issued March 2004)
Chapters 20 and 21
Operations (Issued August 2004)
Chapters 13 and 17
Wholesale Payment Systems (Issued August 2004)
Chapter 18
II. SUMMARY OF FFIEC INFORMATION TECHNOLOGY EXAMINATION HANDBOOK REVISIONS IN 2003-04
The first in a series of updates to the 1996 Handbook, the Information Security Booklet is to be used in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. Since the safety and soundness of financial institutions and the privacy of customer information depend on the security practices of individual institutions, the Information Security Booklet describes how an institution should protect and secure the systems and facilities that process and maintain information. In the booklet, the FFIEC advises financial institutions and technology service providers (TSPs) to maintain effective security programs, tailored to the complexity of their operations.
The Business Continuity Planning Booklet presents both guidance and examination procedures to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. Financial institutions must have plans to respond to adverse events, e.g., natural disasters, technological failures, human error and terrorism. Business continuity planning means that financial institutions must be prepared to and be able to restore information systems, operations and customer services quickly after an adverse event in order that business operations be resilient and that customer service disruptions be minimal.
The supervision and examination of services performed for financial institutions by technology service providers is outline in the Supervision of Technology Service Providers Booklet. The FFIEC, in keeping to a risk-based supervision approach, discusses the federal regulatory supervisory process and examination ratings that would be utilized for technology service providers. The FFIEC guidance emphasizes that both the management and board of directors of each financial institution has the ultimate responsibility to ensure that outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations. Note that the management of outsourced relationships is covered in depth in a booklet on Outsourcing Technology Services (See below).
The E-Banking Booklet is a guide to the risks involved in and the risk management practices applicable to a financial institution’s electronic banking (“e-banking”) activities. While e-banking has created opportunities for the delivery of traditional financial products and services to customers and allows for expanded opportunities for new products and services, there are many challenges that potentially involve risks or threats to a financial institution’s reputation, confidentiality of information, system and data integrity, system availability and regulatory compliance. These challenges include: 24-hour, seven-day-a-week availability; internet connectivity; increased access to systems and customer information; greater reliance on new service providers; and evolving regulations. Potential, new or increased risks that may accompany the delivery of these products and services mean that a financial institution’s e-banking activities require “careful planning, coordinated strategies between IT and business units, integrated subject matter expertise, strong controls and ongoing monitoring and testing,” according to the FFIEC. The booklet is designed to include guidance and examination procedures that evaluate the quality of risk management related to risks, threats and activities in financial institutions and their technology service providers.
The Audit Booklet is a guide to risk-based IT audit practices of financial institutions and technology service providers, which is supplemental to federal regulatory agencies’ existing audit guidance. In the booklet, the FFIEC emphasizes the responsibilities of all levels of an institution’s management and board of directors to establish a sound audit program. Changes to the audit process due to legislation enacted since 1996 (e.g., Gramm-Leach-Bliley Financial Modernization Act of 1999 and the Sarbanes-Oxley Act of 2002) are covered in the booklet.
Appropriate control considerations for financial institutions using the Federal Reserve’s “FedLine” application is covered in the FedLine Booklet. Since the FedLine provides community financial institutions with access to the Federal Reserve’s Fedwire services to receive and send payment messages, the FFIEC states that such access to this payment system must be protected. Therefore, financial institutions are responsible to ensure both security and availability. The booklet covers those policies and procedures necessary to operate the FedLine in a safe and sound manner with detailed guidance on physical security, system configuration and system parameter settings.
The Retail Payment Systems Booklet is a guidance that covers the risks and risk-management practices applicable to financial institutions’ retail payment system activities, including checks, card-based electronic payments and other electronic payment media, e.g., person-to-person, Electronic Benefits Transfer and the Automated Clearinghouse. The booklet also contains examination procedures to evaluate the quality of risk management related to risks and activities in financial institutions and technology service providers. Acknowledging the important role that financial institutions play in retail payment systems, the FFIEC warns that technological innovations also present increased risks that challenge institutions and that require greater diligence to ensure the confidentiality of information, system and data integrity, system availability and regulatory compliance. Federal banking regulators agree, in this guidance, that retail payment system activities require careful planning for coordinated strategies between IT and business units, strong internal controls and ongoing monitoring.
Guidance on development, acquisition and maintenance projects, project risks and project management techniques are covered in the Development and Acquisition Booklet. Emphasis is place on the use of “standardized policies, detailed plans and well-structured project management techniques” when directing project activities and controlling project risks. The guidance advises that effective development and acquisition should result in sound information systems that provide “specific functionality, consistent reliability and strong security.”
The purpose of the Management Booklet is to provide guidance on the risks and risk-management practices applicable to financial institutions’ information technology activities. The regulators maintain that sound information technology management is critical to the performance and success of a financial institution and that the alignment of information technology activities to support the institution’s business strategies adds value and positions the institution for sustained success. FFIEC agencies insist that a financial institution’s board of directors and executive management must understand and take responsibility for information technology management as a critical component of overall strategic planning and corporate governance efforts. This booklet rescinds Chapter 9 “Management” and Chapter 11 “Management Information Systems (MIS) Review” of the 1996 Handbook.
The Outsourcing Technology Services Booklet is a guide on the risks and risk-management practices applicable to financial institutions’ outsourcing information technology activities, including: service provider selection; contract issues; and ongoing monitoring of the relationship. Guidance on risks and risk-management issues specifically regarding foreign service providers are included. The regulators maintain that outsourcing does not relieve a financial institution’s management and board of directors of their responsibility to ensure that the institution’s data are processed in a secure environment and to maintain data integrity. The FFIEC guidance emphasizes that ongoing monitoring of any outsourcing relationship is crucial to ensure: key terms of service level agreements are followed; confidentiality of information is safeguarded; and operational stability is maintained. The Outsourcing Technology Services Booklet replaces and rescinds the FFIEC guidance Risk Management of Outsourced Technology Services dated November 28, 2000 as well as the Office of the Comptroller of the Currency’s Advisory Letter (AL 2000-12) entitled Risk Management of Outsourcing Technology Services.
The Operations Booklet, published August 26, 2004, is a guidance that covers the risks and risk management practices applicable to financial institutions' technology operations. The FFIEC notes that effective support and delivery from information technology (IT) operations are important for a financial institution's performance and success and that the evolving role that technology plays in supporting the business function increases in complexity, e.g., IT operations are more dynamic and include distributed environments, integrated applications, telecommunications options, Internet connectivity and an array of computer platforms. The Operations Booklet covers tactical and strategic support as well as delivery risks and controls that should be implemented. The guidance contains examination procedures to be used by regulators in evaluating the quality of risk management related to such activities in financial institutions and technology service providers.
Also released on August 26, 2004, the Wholesale Payment Systems Booklet is a guidance addressing risks and risk management practices for a financial institutions' wholesale payment systems activities, e.g., interbank and intrabank payment, messaging and securities settlement systems. Acknowledging that financial institutions play an important role in wholesale payments systems, the FFIEC notes that such institutions are confronted with increased “challenges to meet demands for resiliency and reliability, while continuing to develop and deploy innovative payment solutions to meet expanding global payment processing demands.” Such challenges mean increased risks requiring more diligence to maintain confidentiality of information, system and data integrity, system availability and compliance with regulations. In conducting wholesale payment system activities, the FFIEC guidance advises financial institutions to conduct planning and coordination between IT and business units, including strong internal controls and ongoing monitoring in operations. Regulatory examination procedures, used to evaluate the quality of risk management related to wholesale payment system activities in financial institutions and technology service providers, are included in the booklet.
III. ELECTRONIC ACCESS TO THE BOOKLETS
FFIEC financial regulatory agencies have separately noted that the booklets may be accessed via the Internet at the FFIEC's “InfoBase” application, which includes each booklet in PDF file format, as well as an online version with links to various resource materials and an orientation tothe handbook update process. The electronic versions of both the revised FFIEC Information Technology (IT) Examination Handbook and the original 1996 Information Systems Examination Handbook are available at http://ithandbook.ffiec.gov/it-booklets.aspx.
IV. CONCLUSION
Chapters 1 through 23 of the 1996 Handbook were rescinded with the issuance of the revised booklets. Chapter 24 and 26 through 30 contained laws and guidances related to the topic of IT as issued by the regulators. Note that with the issuance of the FFIEC Information Technology Examination Handbook, the following Supervisory Policies (SP) found in Chapter 25 of the old 1996 Handbook are rescinded:
SP-2 (Uniform Interagency Rating System for Data Processing Operations, October 1978); SP-3 (Joint Interagency Issuance on End-User Computing Risks, January 1988); SP-4 (Supervisory Policy On Large Scale Integrated Financial Software Systems, November 1988); SP-5 (Interagency Policy On Contingency Planning For Financial Institutions, July 1989); SP-6 (Interagency Statement on EDP Service Contracts, January 1990); SP-7 (Interagency Policy on Strategic Information Systems Planning for Financial Institutions, March 1990); SP-8 (Interagency Document on EDP Risks in Mergers & Acquisitions, September 1991); SP-9 (Interagency Supervisory Statement on EFT Switches and Network Services, April 1993); and SP-10 (Control And Security Risks in Electronic Imaging Systems, December 1993).
The two remaining SPs, SP-1 (Interagency EDP Examination, Scheduling and Distribution Policy, September 1991, Revised) and SP-11 (Enhanced Supervision Program for Multidistrict Data Processing Servicers, January 1995) may be found in the Supervision of Technology Service Providers Booklet, under “Resources” in the FFIEC Information Technology Examination Handbook.