The Federal Financial Institutions Examination Council (FFIEC) has issued booklets with guidance on evaluating operations and wholesale payment systems. These booklets are the last in a series of booklets comprising the FFIEC Information Technology (IT) Examination Handbook. The outdated 1996 FFIEC Information Systems Examination Handbook has been officially retired.
On August 26, 2004, the Federal Financial Institutions Examination Council (FFIEC) issued revised guidance for examiners, financial institutions and technology service providers on two topics: operations and wholesale payment systems. This guidance - the Operations Booklet and the Wholesale Payment Systems Booklet - are the final booklets in a series of updates to the 1996 FFIEC Information Systems Examination Handbook.
The Operations Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' technology operations. Effective support and delivery from IT operations are vital to a financial institution's performance and success. The evolving role that technology plays in supporting the business function has become increasingly complex. IT operations have become more dynamic and include distributed environments, integrated applications, telecommunications options, Internet connectivity and an array of computer platforms. The booklet discusses tactical and strategic support and delivery risks, and the controls that should be in place to address them. The booklet also includes examination procedures to evaluate the quality of risk management related to these activities in financial institutions and technology service providers.
The Wholesale Payment Systems Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' wholesale payment systems activities, including interbank and intrabank payment, messaging and securities settlement systems. Financial institutions play an important role in wholesale payment systems. However, they face increasing challenges to meet demands for resiliency and reliability, while continuing to develop and deploy innovative payment solutions to meet expanding global-payment processing demands. These challenges pose increased risk to financial institutions and require greater diligence to ensure that confidentiality of information, system and data integrity, system availability and regulatory compliance are maintained. Wholesale-payment system activities require careful planning and coordination between IT and business units, and their operations must include strong internal controls and ongoing monitoring. The Wholesale Payment Systems Booklet includes examination procedures to evaluate the quality of risk management related to these activities in financial institutions and technology service providers.
These booklets are the last in a series of updates to the 1996 FFIEC Information Systems Examination Handbook (1996 Handbook). The updates address significant changes in technology since 1996 and incorporate a risk-based examination approach. The updates have been issued in separate booklets, replacing all chapters of the 1996 Handbook, and now comprise the new FFIEC Information Technology Examination Handbook.
With the release of these last two booklets, the 1996 Handbook is now completely retired. Chapters 1 through 23 of the 1996 Handbook were rescinded with the issuance of various booklets. Chapters 24 and 26 through 30 contained laws and guidance related to the topic of IT issued by various FFIEC agencies. Please refer to the resources section of the FFIEC Information Technology Examination Handbook booklets or the individual agencies' Web sites for this information.
With the issuance of the new FFIEC Information Technology Examination Handbook, several Supervisory Policies (SP) found in Chapter 25 of the 1996 Handbook have been rescinded. These are:
- SP-2, Uniform Interagency Rating System for Data Processing Operations, October 1978;
- SP-3, Joint Interagency Issuance on End-User Computing Risks, January 1988;
- SP-4, Supervisory Policy on Large Scale Integrated Financial Software Systems (LSIS), November 1988;
- SP-5, Interagency Policy on Contingency Planning for Financial Institutions, July 1989;
- SP-6, Interagency Statement on EDP Service Contracts, January 1990;
- SP-7, Interagency Policy on Strategic Information Systems Planning for Financial Institutions, March 1990;
- SP-8, Interagency Document on EDP Risks in Mergers & Acquisitions, September 1991;
- SP-9, Interagency Supervisory Statement on EFT Switches and Network Services, April 1993; and
- SP-10, Control and Security Risks in Electronic Imaging Systems, December 1993.
The two remaining SPs - SP-1, Interagency EDP Examination, Scheduling, and Distribution Policy, September 1991 Revised, and SP-11, Enhanced Supervision Program (ESP) for Multidistrict Data Processing Servicers (MDPS), January 1995 - can be found under Resources in the Supervision of Technology Service Providers Booklet in the FFIEC Information Technology Examination Handbook.
The FFIEC agencies are distributing these booklets electronically to financial institutions and technology service providers via the Internet through the FFIEC's InfoBase application. The InfoBase includes each booklet in Adobe Acrobat PDF file format, as well as an online version with links to various resource materials and presentations giving an orientation to the handbook update process and each booklet.
The electronic versions of the Operations, Wholesale Payment Systems and the previously issued booklets are available at http://www.fdic.gov/regulations/information/information/FFIEC.html. For more information about the FFIEC Information Technology Examination Handbook and the topics discussed in it, please contact your FDIC Division of Supervision and Consumer Protection Regional Office.
For your reference, FDIC Financial Institution Letters may be accessed from the FDIC's Web site at http://www.fdic.gov/news/news/financial/2004/index.html.
||Michael J. Zamorski
Division of Supervision and Consumer Protection