 |
 |
 |
Home |  |
Deposit Insurance | |
Consumer Protection | |
Industry Analysis | |
Regulations & Examinations | |
Asset Sales | |
News & Events | |
About FDIC | |
|
|||||||||||||||||||||||||||||||||||
|
|
|
|
|
|
Home > Regulation & Examinations > Bank Examinations > Technology Regulations and Publications for Financial Institutions |
|
|
|
|||
|
Technology Regulations and Publications for Financial Institutions Technology Publications
The documents referenced below are grouped by topic. Within each topic, they are listed in reverse chronological order (latest first). Documents may be listed under more than one topic heading. The hyperlink shows the format of the document, e.g. HTML, TEXT. Files marked PDF are Portable Document Format files. Adobe Acrobat, a reader available for free on the Internet, is required to display or print PDF files. This site's PDF file size ranges from 8Kb to 474Kb with the average size of about 20 to 30Kb. You may also request a printed copy of the document. Anti-Terrorism
Bank Secrecy Act/Anti-Money Laundering Examination Infobase FFIEC August 15, 2006 The Federal Financial Institutions Examination Council (FFIEC) member agencies today released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005. The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues. Guidance for Financial Institutions on the Use of Foreign-Based Third-Party Service ProvidersFederal Deposit Insurance Corporation June 21, 2006 The FDIC has prepared the attached guidance to address the risks inherent in outsourcing relationships between U.S. financial institutions and foreign-based third-party service providers. The guidance provides steps that institutions should take to successfully manage such risks. Interagency Guidelines Establishing Information Security Standards Small-Entity Compliance Guide Joint Agency Release December 14, 2005 This Small-Entity Compliance Guide is intended to help financial institutions2 comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines).3 The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs. Authentication in an Internet Banking Environment C Federal Financial Institutions Examination Council (FFIEC) 10/12/2005 The Federal Financial Institutions Examination Council (FFIEC) has issued guidance, “Authentication in an Internet Banking Environment.” For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution’s progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006. Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice - PDF 550k (PDF Help) Interagency 3/23/2005 The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The guidance interprets the agencies’ customer information security standards and states that financial institutions should implement a response program to address security breaches involving customer information. Electronic Record Keeping Office of the Comptroller of the Currency 6/21/2004 This advisory letter highlights issues regarding bank electronic record systems in light of the E-SIGN Act. 15 USC 7001, et seq. The letter provides a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems. Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks- PDF 245k (PDF Help) Federal Deposit Insurance Corporation 6/16/2004 This study presents the FDIC's findings with regards to the associated risks of offshore outsourcing (also known as "offshoring") by financial institutions from a safety and soundness perspective and with particular emphasis on the threats posed to customer privacy. Bank Use of Foreign-Based Third-Party Service Providers - PDF 159k (PDF Help) Office of the Comptroller of the Currency 5/15/2002 This bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank's operations. Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information Federal Deposit Insurance Corporation 8/4/2001 Assists examiners in assessing the level of compliance with the interagency Guidelines Establishing Standards for Safeguarding Customer Information, as mandated by section 501(b) of the Gramm-Leach-Bliley Act of 1999. Provides the purpose of the exam procedures and guidance in performing the exam procedures. Issued as 501(b) Exam Procedures (8/24/01). Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information - PDF 131k (PDF Help)) Office of the Comptroller of the Currency 7/18/2001 Provides risk-based procedures that allow examiners to tailor the exam scope according to the size and complexity of the bank, the nature and scope of its activities, and the level of risk assumed by the institution. Typically, OCC examiners will use these procedures in the OCC’s largest banks, which have complex IT environments, significant information security concerns, or where less experienced examiners need more detailed guidance. Issued as Examination Procedures (7/18/01). Guidelines for Safeguarding Customer Information - PDF 651k (PDF Help) Joint Agency Release 5/31/2001 The Guidelines implement Section 501 of the Gramm-Leach-Bliley Act requiring fedral banking agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer records and information. Privacy Regulation Compliance - PDF 247k (PDF Help) Office of the Comptroller of the Currency 5/29/2001 OCC Staff Responses to Questions from February 13-14, 2001, Telephone Seminar on Privacy Regulation Compliance. Responses to Questions on Privacy Rule Compliance (5/29/01). Privacy of Consumer Financial Information Joint Agency Release 5/17/2001 Examination procedures to review supervised financial institutions for compliance with the agencies' final privacy regulation Issued at 65 FR 35162 (6/1/00)). By FDIC, FRB, OCC, OTS The procedures summarize the basic requirements of the regulation; identify examination objectives; establish procedures for examining for compliance with the regulation; and provide an examination checklist for use in verifying compliance. Examination Procedures for Privacy Rule (5/17/01). Guidance on Identity Theft and Pretext Calling Federal Deposit Insurance Corporation 5/9/2001 Addresses how banks should protect customer information against identity theft. Also included is guidance on completing Suspicious Activity Reports to report offenses associated with identity theft and pretext calling, i.e., posing as a customer or someone authorized to have customer information in order to obtain confidential customer data. Guidance on Identity Theft and Pretext Calling (5/9/01). Joint Interpretive Letter Concerning Sharing of Account Numbers for Use in Marketing - PDF 100k (PDF Help) Joint Agency Release 5/4/2001 Interagency response to a letter asking the Federal banking agencies to allow financial institutions to disclose unencrypted account numbers to a third party. (Certain information has been removed from the response to protect the privacy of the correspondent.) Standards for Safeguarding Customer Information - PDF 651k (PDF Help) Joint Agency Release 5/1/2001 Identity Theft and Pretext Calling - Word 69k (Word Help) Office of the Comptroller of the Currency 4/30/2001 Informs national banks about two areas of consumer bank, fraud identity theft and pretext calling, and advises them about measures to prevent and detect these types of fraud. Also supplements the interagency guidelines establishing standards to safeguard customer information by focusing on the protection of customer information specifically against identity theft and pretext calling. Issued as AL 2001-4 Identity Theft and Pretext Calling Federal Reserve Board 4/26/2001 Addresses how state member banks and other banking organizations supervised by the FRB that provide products or services to the public or that maintain customer account information should protect customer information against identity theft. Also provides guidance on completing Suspicious Activity Reports that report offenses associated with identity theft and pretext calling. Issued as SR 01-11 Privacy Rule Handbook Federal Deposit Insurance Corporation 1/25/2001 Explains basic requirements of 12 CFR Part 332 (the privacy rule described above); provides suggestions for implementing the rule to meet the July 1 deadline; suggests activities to monitor and maintain compliance; and describes in detail key terminology in the rule. (See, 65 FR 35162 (6/1/00) ) Privacy Rule Handbook (1/22/01). Privacy Preparedness - Word (Word Help) Office of the Comptroller of the Currency 1/22/2001 Helps prepare national banks for implementation of 12 CFR Part 40 . A questionnaire is attached to assist national banks in their preparation and in performing a self-assessment. Issued as AL 2001-2 (1/22/01). (See, also, Privacy Preparedness Questionnaire.) Privacy Preparedness Questionnaire - Word (Word Help) Office of the Comptroller of the Currency 1/22/2001 Helps prepare national banks for implementation of 12 CFR Part 40 . A questionnaire is attached to assist national banks in their preparation and in performing a self-assessment. Issued as AL 2001-2 (1/22/01). (See, also, Privacy Preparedness Questionnaire.) Privacy Preparedness Check-up - PDF (PDF Help) Office of Thrift Supervision 9/18/2000 Questions to assist examiners in determining efforts of institutional management to achieve compliance with 12 CFR 573. Privacy Preparedness Check-Up (9/18/00). Privacy Laws and Regulations - PDF 76k (PDF Help) Office of the Comptroller of the Currency 9/8/2000 Summarizes federal laws and regulations relating to disclosure of consumer financial information to help national banks and subsidiaries understand their statutory obligations. (See, 65 FR 35162 (6/1/00) Privacy Laws and Regulations (9/8/00). Financial Institution Web Site Privacy Survey Federal Deposit Insurance Corporation 12/27/1999 Summarizes the Interagency Financial Institution Web Site Privacy Survey Report and encourages financial institutions to establish and follow a privacy policy that addresses fair information practice principles. Issued as FIL-113-99 (12/27/99). Financial Institution Web Site Privacy Survey Report - PDF 231k (PDF Help) Joint Agency Release 11/9/1999 Results of interagency survey of financial institution web sites to determine the extent financial institution web sites posts privacy policies and information practice statements. Report (11/9/99). Electronic Commerce and Consumer Privacy Federal Deposit Insurance Corporation 7/17/1999 Encourages financial institutions to be aware of consumer online privacy issues, and take voluntary, specific actions to address them. Online Privacy of Consumer Personal Information (8/17/98). OCC Guidance to National Banks on Web Site Privacy Statements Office of the Comptroller of the Currency 5/4/1999 Provides national banks with examples of effective practices for informing consumers who access bank Internet sites about bank privacy policies for the collection and use of personal information. Issued as AL 99-06 (5/4/99). Privacy and Accuracy of Personal Customer Information - PDF 691k (PDF Help) Office of Thrift Supervision 11/3/1998 Recommends that savings associations notify customers of how they will use certain customer information. Issued as CEO Memo 97 (11/3/98). Pretext Phone Calling Joint Agency Release 9/2/1998 Alerts financial institutions to practice of pretext phone calling, which is a means of gaining access to customers' confidential account information by organizations and individuals who call themselves account information brokers. (Jointly prepared by FDIC, OCC, OTS, FRB, FBI, Secret Service, IRS, and Postal Inspection Service.) Issued as FIL-98-98 (9/2/98). Also issued by OCC as NR 98-86 (8/20/98) and by OTS as CEO Memo 97 (11/3/98) Draft Community Bank Supervision booklet - PDF 180k (PDF Help) Office of the Comptroller of the Currency For community banks, the OCC has incorporated less detailed procedures in the Community Bank Supervision booklet of the Comptroller’s Handbook. Attached is an advanced copy of the IT section that focuses on the adequacy of a bank’s risk management processes and controls to promote integrity, availability and confidentiality of automated information systems. E-Banking Booklet Federal Financial Institutions Examination Council This booklet, one of several comprising the FFIEC Information Technology Examination Handbook (IT Handbook), provides guidance to examiners and financial institutions on identifying and controlling the risks associated with electronic banking (e-banking) activities. The booklet primarily discusses e-banking risks from the perspective of the services or products provided to customers. This approach differs from other booklets that discuss risks from the perspective of the technology and systems that support automated information processing. To avoid duplication of material, this booklet refers the reader to other IT Handbook booklets for detailed explanations of technology-specific issues or controls. Electronic Banking (on-line delivery of financial services) Authentication in an Internet Banking Environment - PDF 163k (PDF Help) Federal Financial Institutions Examination Council (FFIEC) 10/12/2005 The Federal Financial Institutions Examination Council (FFIEC) has issued guidance, “Authentication in an Internet Banking Environment.” For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution’s progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006. NACHA Rule Changes Office of the Comptroller of the Currency 12/20/2004 The purpose of this OCC bulletin is to advise national banks and examiners of three amendments to National Automated Clearing House Association (NACHA) Operating Rules that became effective in 2004. As part of an effective risk management program, banks should implement procedures to ensure compliance with these and all other NACHA Operating Rules and related Office of the Comptroller of the Currency (OCC) and Federal Financial Institutions Examination Council (FFIEC) guidance. This bulletin supplements guidance on Automated Clearing House (ACH) activities outlined in the FFIEC IT Handbook, "Retail Payment Systems," dated March 2004. Report to Congress on the Disclosure of Point-of-Sale Debit Fees - PDF (PDF Help) Federal Reserve Board 11/182004 Reports on the disclosure of fees that a depository institution may impose when a customer chooses to secure a point-of-sale debit transaction by providing a personal identification number. Discusses the prevalence of PIN fees; the degree of compliance by depository institutions with current disclosure requirements; the adequacy of existing disclosures and the likely benefits and costs of new requirements for disclosure statements; and the feasibility of real-time disclosure. Interagency Regulation CC Examination Procedures - PDF (PDF Help) Office of the Comptroller of the Currency 10/6/2004 The Board of Governors of the Federal Reserve System recently amended 12 CFR 229, Availability of Funds and Collection of Checks (Regulation CC), which implements the Check Clearing for the 21st Century Act (Check 21). Model form C-5A in Appendix C was effective on August 4, 2004, and paragraph (4) of Appendix D will become effective on January 1, 2006. All other changes are effective on October 28, 2004. The Federal Financial Institutions Examination Council's Task Force on Consumer Compliance approved updated interagency Regulation CC examination procedures for consumer compliance issues on October 6, 2004. The OCC plans to incorporate these procedures in an update to the Comptroller's handbook series. Until the revised handbook is issued, examiners should use the attached procedures. The Power of Plastic: how banks are using technology to reach the unbanked by John D. Hawke, Jr., Comptroller of the Currency Office of the Comptroller of the Currency 10/2004 Community Developments Newsletter. The newsletter describes strategies to provide retail financial services to underserved communities and the approximately 10 million households in the U.S. that do not have access to banking services. It also contains success stories illustrating how banks are being innovative in developing and providing the technology and financial literacy needed to reach this market. Remittances: A Gateway to Banking for Unbanked Immigrants - PDF (PDF Help) Office of the Comptroller of the Currency 9/15/2004 This edition of Community Developments Insights addresses the role of banks in providing money transfer services. and describes how banks can use these products to attract unbanked immigrants into the banking system. It also addresses some of the key risks and regulatory issues presented by bank involvement in these products. This publication also addresses a number of legal, compliance, and operational considerations that financial institutions should be aware of when offering remittance products. These include money laundering, customer identification, and third party provider risk. Electronic Record Keeping Office of the Comptroller of the Currency 6/21/2004 This advisory letter highlights issues regarding bank electronic record systems in light of the E-SIGN Act. 15 USC 7001, et seq. The letter provides a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems. Check Clearing For The 21st Century Act Federal Deposit Insurance Corporation 5/21/2004 The FDIC is notifying FDIC-supervised institutions that they should begin planning for operational changes needed to implement the Check Clearing for the 21st Century Act. The Act facilitates check truncation and electronic check exchange by authorizing a new negotiable instrument called a "substitute check." Payroll Cards: An Innovative Product for Reaching the Unbanked and Underbanked - PDF 298k (PDF Help) Office of the Comptroller of the Currency 10/1/2003 Background information on the gorwth of payroll cards and their potential for use by national banks to attract the nearly 10 million unbanked households into the financial mainstream. Retail Payment Systems Federal Financial Institutions Examination Council 3/31/2004 The FFIEC IT Examination Handbook (IT Handbook), "Retail Payment Systems Booklet" (booklet), provides guidance to examiners, financial institutions, and technology service providers (TSP) on identifying and controlling information technology (IT)-related risks associated with retail payment systems and related banking activities. Financial institutions, either in consortiums or acting independently, remain the core providers to businesses and consumers for most retail payment instruments and services. This booklet replaces chapters 20, "Retail EFT (ATM and POS)" and 21, "Automated Clearing House (ACH)," in the 1996 FFIEC Information Systems Examination Handbook. The booklet presents retail payment systems examination guidance in three parts, followed by examination procedures, a glossary, and references. Network Security Vulnerabilities - Word (Word Help) Office of the Comptroller of the Currency 4/24/2001 Alerts banks to potential threats in electronic banking systems and reminds banks and service providers to identify and correct network security vulnerabilities. Recent National Infrastructure Protection Center (NIPC) advisories report an increase in unauthorized activities targeting e-commerce Web sites and identify some common and frequently utilized vulnerabilities in commercially available hardware and software. These vulnerabilities may allow unauthorized access to bank and service provider systems. Unauthorized intrusions threaten the confidentiality, integrity, and availability of bank information systems and customer information. Issued as Alert 2001-4 (4-24-01). Internet-Initiated ACH Debits/ACH Risks - Word (Word Help) Office of the Comptroller of the Currency 1/29/2001 Alerts banks to specific Automated Clearing House (ACH) risks and emphasizes the importance of sound ACH risk management practices. Banks that transmit certain Internet-initiated ACH debits will be deemed to warrant that their customers who originate the entries use security measures that meet minimum standards of the National Automated Clearing House Association. Issued as AL 2001-3 (1/29/01). Comptroller’s Corporate Manual on The Internet and The National Bank Charter - PDF 222k (PDF Help) Office of the Comptroller of the Currency 1/1/2001 This booklet provides guidance on these processes and the special issues and considerations presented by proposals for these types of banks. The Internet and The National Bank Charter Tips for Safe Banking Over the Internet Federal Deposit Insurance Corporation 9/21/2000 Tips for Safe Banking Over the Internet - An FDIC Brochure for Bank Customers. This brochure offers information and tips to help bank customers who are thinking about or already using online banking systems. It describes how to:
Office of the Comptroller of the Currency 10/14/1999 National Bank examination procedures for Internet banking activities. Internet Banking Handbook (10/14/99). Transactional Web Sites - PDF (PDF Help) Office of Thrift Supervision 6/10/1999 Restates requirement under 12 CFR Part 555 (described above) for savings associations to file a 30-day written notice with OTS before establishing a transactional web site and offers guidance for developing a transactional web site. Issued as CEO Memo 109 (6/10/99). Interagency Statement on Branch Names Joint Agency Release 5/1/1998 Guidance urging insured depository institutions that intend to use a different name for a branch or other facility to take reasonable steps to ensure that customers do not become confused and believe that the facilities are separate institutions or that deposits in the different facilities are separately insured. The practice of insured depository institutions using different trade names over the Internet raises the same concerns. Accordingly, institutions intending to use different trade names over a computer network should take reasonable steps to ensure that customers will not be confused about either the identity of the insured depository institution or the extent of FDIC insurance coverage. E-Banking Booklet Federal Financial Institutions Examination Council This booklet, one of several comprising the FFIEC Information Technology Examination Handbook (IT Handbook), provides guidance to examiners and financial institutions on identifying and controlling the risks associated with electronic banking (e-banking) activities. The booklet primarily discusses e-banking risks from the perspective of the services or products provided to customers. This approach differs from other booklets that discuss risks from the perspective of the technology and systems that support automated information processing. To avoid duplication of material, this booklet refers the reader to other IT Handbook booklets for detailed explanations of technology-specific issues or controls. Technology Risk Controls - PDF 104k (PDF Help) Office of Thrift Supervision Guidance for insuring the integrity of data input, to protect against corruption of the data or the programming, and to test the accuracy of the output. Electronic Disclosures
Report to Congress on the Disclosure of Point-of-Sale Debit Fees - PDF (PDF Help)
Report to Congress on the Disclosure of Point-of-Sale Debit Fees - PDF (PDF Help)
Electronic Financial Services and Consumer Compliance
- PDF 64k (PDF Help) FFIEC 7/27/2006 The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual reflects the ongoing commitment of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual’s 2005 release. The revisions also draw upon feedback from the banking industry and examination staff. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 CAN-SPAM Examination Worksheet Federal Financial Institutions Examination Council 3/30/2006 The Federal Trade Commission (FTC) issued regulations for implementing CAN-SPAM that became effective March 28, 2005. The FTC has also issued regulations that contain criteria pertaining to warning labels on sexually oriented materials, which became effective as of May 19, 2004. The Federal Financial Institutions Examination Council's Task Force on Consumer Compliance approved interagency consumer compliance examination procedures for both of these regulations. The OCC has posted its examination procedures Telephone Consumer Protection Act and Junk Fax Prevention Act Telephone Consumer Protection Act and Junk Fax Prevention Worksheet Federal Financial Institutions Examination Council 3/30/2006 The Federal Communications Commission (FCC) has issued regulations implementing the modifications to the Telephone Consumer Protection Act of 1991 (TCPA). The impact of the FCC regulations is to prohibit commercial telemarketers, without an existing business relationship, from calling any phone number on the Do-Not-Call registry without being subject to financial penalties. The regulations also modify the FCC's unsolicited facsimile advertising requirements, which in turn were modified by the Junk Fax Prevention Act of 2005. The FCC regulation expanded coverage of the Do-Not-Call registry by including banks, insurance companies, credit unions, and savings associations. The corresponding FTC regulations do not apply to financial institutions but do apply to third-party telemarketers who call on behalf of a financial institution. The OCC has posted its examination procedures. Instructions for Completing the Information Technology Examination Officer's Questionnaire Federal Deposit Insurance Corporation August 18, 2005 The FDIC has updated its risk-focused information technology (IT) examination procedures for FDIC-supervised financial institutions. The FDIC's new risk-focused IT examination procedures focus on the financial institution’s information security program and risk-management practices for securing information assets. The IT Examination Officer's Questionnaire must be completed and signed by an officer of the financial institution and returned to the FDIC examiner-in-charge prior to the on-site portion of the examination. The new examination procedures apply to all FDIC-supervised financial institutions, regardless of size, technical complexity or prior examination rating. IT examination findings and a single IT "composite" rating will be included in the consolidated Risk Management Report of Examination. FFIEC Information Technology Examination Handbook New Guidance for Examiners, Financial Institutions and Technology Service Providers on Operations and Wholesale Payment Systems Federal Financial Institutions Examination Council 11/10/2004 The outdated 1996 FFIEC Information Systems Examination Handbook has been officially retired. Chapters 1 through 23 of the 1996 Handbook were rescinded with the issuance of various booklets. Chapters 24 and 26 through 30 contained laws and guidance related to the topic of IT issued by various FFIEC agencies. Please refer to the resources section of the FFIEC Information Technology Examination Handbook booklets or the individual agencies' Web sites for this information. With the issuance of the new FFIEC Information Technology Examination Handbook, several Supervisory Policies (SP) found in Chapter 25 of the 1996 Handbook have been rescinded. These are: SP-2, Uniform Interagency Rating System for Data Processing Operations, October 1978;The two remaining SPs - SP-1, Interagency EDP Examination, Scheduling, and Distribution Policy, September 1991 Revised, and SP-11, Enhanced Supervision Program (ESP) for Multidistrict Data Processing Servicers (MDPS), January 1995 - can be found under Resources in the Supervision of Technology Service Providers Booklet in the FFIEC Information Technology Examination Handbook. Bank Secrecy Act Examination Procedures for Customer Identification Programs Interagency 7/28/2004 The federal financial institutions regulatory agencies today issued Bank Secrecy Act (B.S.A.) procedures for examining each domestic and foreign banking organization’s customer identification program (CIP) which is required by section 326 of the USA PATRIOT Act (codified in the B.S.A. at 31 U.S.C. 5318(l)). The procedures are designed to help financial institutions fully implement the new CIP requirements and facilitate a consistent supervisory approach among the federal financial institutions regulatory agencies. Retail Payment Systems Federal Financial Institutions Examination Council 3/31/2004 The FFIEC IT Examination Handbook (IT Handbook), "Retail Payment Systems Booklet" (booklet), provides guidance to examiners, financial institutions, and technology service providers (TSP) on identifying and controlling information technology (IT)-related risks associated with retail payment systems and related banking activities. Financial institutions, either in consortiums or acting independently, remain the core providers to businesses and consumers for most retail payment instruments and services. This booklet replaces chapters 20, "Retail EFT (ATM and POS)" and 21, "Automated Clearing House (ACH)," in the 1996 FFIEC Information Systems Examination Handbook. The booklet presents retail payment systems examination guidance in three parts, followed by examination procedures, a glossary, and references. The Call Report Modernization Initiative Web Site Federal Financial Institutions Examination Council 2/12/2004 The Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB), and the Office of the Comptroller of the Currency (OCC) are three of the Federal Financial Institutions Examination Council (FFIEC) Agencies. Under the guidance of the FFIEC Reports Task Force, these three agencies (Call Report Agencies) formed a steering committee to collectively manage the development and operation of the Central Data Repository (CDR). The CDR is a centralized resource for users and providers of the financial institution data. It is expected to facilitate a more-efficient regulatory reporting process by enhancing the methods used to collect, validate, process, and distribute Call Report data. Statement of Application of Recent Corporate Governance Initiatives to Non-Public Banking Organizations - PDF 310k (PDF Help) Joint Agency Release 5/1/2003 Guidance on the effect of Sarbanes-Oxley on small-non public banking institutions Internal and External Audits - PDF 501k (PDF Help) Office of the Comptroller of the Currency 4/1/2003 This booklet discusses the OCC's expectations for effective audit functions and will help examiners and bankers assess the quality and effectiveness of internal and external programs appropriate for a bank's size, complexity of activities, scope of operations and risk profile. Information Technology Examination Procedures Federal Deposit Insurance Corporation 10/9/2002 The Federal Deposit Insurance Corporation (FDIC) is launching a new program for assessing information technology (IT) risk at FDIC-supervised financial institutions. The program incorporates a new philosophy for categorizing institutions' use of technology and their consequential exposure to technology risk, along with updated and more risk-focused IT examination procedures. External Audits - PDF 103k (PDF Help) Office of Thrift Supervision 7/1/2002 Guidance on the external audits of thrifts and savings associations Interagency Policy Statement on the Internal Audit Function and its Outsourcing - PDF 431k (PDF Help) Joint Agency Release 5/17/2002 The policy statement sets forth key characteristics of the auditing function, discusses the outsourcing of audit functions and the effect of Sarbanes-Oxley on financial institutions. Internal Audits - PDF 59k (PDF Help) Office of Thrift Supervision 2/1/2002 Guidance on the internal audits of thrifts and savings associations Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information Federal Deposit Insurance Corporation 8/4/2001 Assists examiners in assessing the level of compliance with the interagency Guidelines Establishing Standards for Safeguarding Customer Information, as mandated by section 501(b) of the Gramm-Leach-Bliley Act of 1999. Provides the purpose of the exam procedures and guidance in performing the exam procedures. Issued as 501(b) Exam Procedures (8/24/01). Privacy Regulation Compliance - PDF 247k (PDF Help) Office of the Comptroller of the Currency 5/29/2001 OCC Staff Responses to Questions from February 13-14, 2001, Telephone Seminar on Privacy Regulation Compliance. Responses to Questions on Privacy Rule Compliance (5/29/01). Privacy of Consumer Financial Information Joint Agency Release 5/17/2001 Examination procedures to review supervised financial institutions for compliance with the agencies' final privacy regulation Issued at 65 FR 35162 (6/1/00)). By FDIC, FRB, OCC, OTS The procedures summarize the basic requirements of the regulation; identify examination objectives; establish procedures for examining for compliance with the regulation; and provide an examination checklist for use in verifying compliance. Examination Procedures for Privacy Rule (5/17/01). Uniform Rating System for Information Technology Office of the Comptroller of the Currency 4/6/2001 Revises OCC policy in applying the URSIT to national banks. For IT exams of national banks that began after 4/1/01, the OCC will assign only the URSIT composite rating. Full URSIT ratings, composite and components, will continue to be assigned during OCC exams of other entities that provide technology services to national banks. Issued as OCC 2001-17 (4/6/01). (See, also, the FFIEC notice concerning the revised URSIT found at 64 FR 3109 (1/20/99).) Privacy Preparedness Check-up - PDF (PDF Help) Office of Thrift Supervision 9/18/2000 Questions to assist examiners in determining efforts of institutional management to achieve compliance with 12 CFR 573. Privacy Preparedness Check-Up (9/18/00). Information Technology Examination Frequency Federal Reserve Board 2/29/2000 HTML Eliminates separate information technology exams and highlights that safety and soundness exams should include an assessment and evaluation of information technology risks and risk management. Also discusses exam frequency for service providers. Issued as SR 00-3 (2/29/00). OCC Examination Handbook on Internet Banking - PDF 226k (PDF Help) Office of the Comptroller of the Currency 10/14/1999 National Bank examination procedures for Internet banking activities. Internet Banking Handbook (10/14/99). Uniform Rating System for Information Technology Joint Agency Release 1/20/1999 FFIEC revised the Uniform Interagency Rating System for Data Processing Operations. The revision changed the name to the Uniform Rating System for Information Technology and includes changes that have occurred in the data processing industry and in supervisory policies and procedures since the rating system was adopted in 1978. Issued as 64 FR 3109 (1/20/99). Electronic Banking Examination Procedures Federal Deposit Insurance Corporation Rev. 2/2002 Provides guidance for information systems specialists to evaluate electronic banking standards and associated risks. DOS Exam Modules (9/1/98) Electronic Banking Examination Procedures Update - PDF (PDF Help) Federal Deposit Insurance Corporation 7/10/1998 Announces revisions to safety and soundness electronic banking exam procedures; describes the procedural levels of exam review (information-only systems that may include non-sensitive electronic mail, information transfer systems and sensitive electronic mail, and transactional systems); and distributes pre-exam letter and requests list to be used in exams where electronic banking activities are in place. Issued as RD Memo 98-061 (7/10/98). Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations Federal Reserve Board 4/20/1998 Provides examiners guidance to assess IT risks when evaluating Community Banks and Large Complex Banking Organizations. (Supplements SR 97-25, Risk-Focused Framework for Supervision of Community Banks, and SR 97-24, Risk-Focused Framework for Large Complex Institutions.) Issued as SR 98-9 (4/20/98). Security Risks Associated with the Internet Federal Deposit Insurance Corporation 12/18/1997 Identifies risks to information system security associated with Internet use. Complements FDIC’s safety and soundness examination procedures for electronic banking activities. Issued as FIL-131-97 (12/18/97). Information Technology - PDF 89k (PDF Help) Office of Thrift Supervision 10/15/1997 Updates the OTS examination guidelines for the use of information technology and distributes revised Thrift Activities Regulatory Handbook Section 341, Information Technology (previously titled Electronic Data Processing Controls). Issued as RB 32-6 (10/15/97). Examination Procedures for Retail Sale of Nondeposit Investment Products Federal Reserve Board 5/26/1994 Examination Procedures for Retail Sale of Nondeposit Investment Products, Issued as SR 94-34 (5/26/94). Nondeposit Investment Sales Examination Procedures - PDF 219k (PDF Help) Office of the Comptroller of the Currency 2/24/1994 Interagency Statement on Retail Sales of Nondeposit Investment Products Encourages insured depository institutions that recommend or sell to retail customers nondeposit investment products, such as mutual funds and annuities, to ensure that customers for these products are clearly and fully informed of the nature and risks associated with these products. In particular, institutions should ensure that customers are fully informed that the products: (1) are not insured by the FDIC; (2) are not deposits or other obligations of the institution and are not guaranteed by the institution; and (3) are subject to investment risks, including possible loss of the principal invested. The OCC incorporated interagency statement in with its insert in the Comptroller’s Handbook for National Bankers. The insert provides national bank examiners with procedures for examining the nondeposit investment sales activities of national banks. Issued as OCC Bulletin 94-13 (2/24/94). Business Continuity Planning Federal Financial Institutions Examination Council This Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning booklet provides guidance and examination procedures to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. Information Security Booklet Federal Financial Institutions Examination Council Member agencies of the Federal Financial Institutions Examination Council (FFIEC) defined such a process-based approach to security in the “Guidelines Establishing Standards to Safeguard Customer Information” to implement section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA). The guidelines afford the FFIEC agencies enforcement options if financial institutions do not establish and maintain adequate information security programs. This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operations, and serves as a supplement to agency GLBA 501(b) expectations. Financial institutions may outsource some or all of their information processing. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution. This booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook. It updates and rescinds the security-related guidance in that handbook, including Chapters 12-14. Audit Booklet Federal Financial Institutions Examination Council This FFIEC booklet describes the roles and responsibilities of the board of directors, management, and internal or external auditors; identifies effective practices for IT audit programs; and details examination objectives and procedures. Agency examiners will use the examination procedures in Appendix A to assess the adequacy of IT audit programs at both financial institutions and technology service providers. The examination guidance and procedures in this booklet focus on IT audit and supplement other, more general, internal and external audit guidance provided by the FFIEC agencies. Supervision of Technology Service Providers Federal Financial Institutions Examination Council The Supervision of Technology Service Providers booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook and rescinds chapters 2-7 of that handbook. This booklet primarily governs the supervision of technology service providers (TSPs) and briefly summarizes the Federal Financial Institutions Examination Council (FFIEC) member agencies’ (agencies) expectations of financial institutions in the oversight and management of their TSP relationships. This booklet outlines the agencies’ risk-based supervision approach, the supervisory process, and the examination ratings used for information technology (IT) service providers. In addition, this booklet discusses two special IT-related programs administered by the FFIEC agencies: the Multi-Regional Data Processing Servicer (MDPS) Program, geared towards examining large TSPs, and the Shared Application Software Review (SASR) Program aimed at reviewing mission-critical software packages. Fair Credit Reporting
Fair Credit Reporting Regulations
- PDF 299k (PDF Help) FDIC April 23, 2007 The Federal Deposit Insurance Corporation (FDIC), a participant in the government-wide Identity Theft Task Force, provides a direct link to the new, centralized government Web site on identity theft. The new site, http://www.idtheft.gov/ , will provide the Task Force's Strategic Plan. The Plan, which represents the input of 17 Federal agencies, including the FDIC, sets out recommendations to prevent identity theft, to assist identity theft victims in recovering from those crimes, and to prosecute and punish identity theft-related criminals. Supervisory Policy on Identity Theft FDIC April 11, 2007 The Federal Deposit Insurance Corporation has issued the a "Supervisory Policy on Identity Theft." The policy describes the characteristics of identity theft. It also sets forth the FDIC's expectations that institutions under its supervision take steps to detect and prevent identity theft and mitigate its effects in order to protect consumers and help ensure institutions' safe and sound operations. Frequently Asked Questions on Guidance Entitled Authentication in an Internet Banking Environment - PDF (PDF Help) FFIEC August 15, 2006 The Federal Financial Institutions Examination Council (FFIEC) member agencies today released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005. The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues. Don't Be an On-line Victim: How to Guard Against Internet Thieves and Electronic ScamsFederal Deposit Insurance Corporation January 26, 2006 The Federal Deposit Insurance Corporation (FDIC) has produced a multimedia presentation to help consumers protect themselves from identity theft. The presentation provides information on steps consumers should take to secure their computer and protect themselves from identity theft, as well as actions consumers should take if they become a victim of identity theft. Financial institutions are encouraged to make the link available to their customers from their websites. Authentication in an Internet Banking Environment - PDF 163k (PDF Help) Federal Financial Institutions Examination Council (FFIEC) 10/12/2005 The Federal Financial Institutions Examination Council (FFIEC) has issued guidance, “Authentication in an Internet Banking Environment.” For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution’s progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006. You Can Fight Identity Theft Interagency September 8, 2005 The federal bank, thrift and credit union agencies have announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as “phishing.” The term is a play on the word “fishing,” and that’s exactly what Internet thieves are doing – fishing for confidential financial information, such as account numbers and passwords. With enough information, a con artist can run up bills on another person’s credit card or, in the worst case, even steal that person’s identity. Putting an End to Account-Hijacking Identity Theft Study Supplement Federal Deposit Insurance Corporation 6/17/2005 This publication supplements the FDIC’s study Putting an End to Account-Hijacking Identity Theft published on December 14, 2004. Putting an End to Account-Hijacking Identity Theft Federal Deposit Insurance Corporation 12/14/2004 This study, published on December 14, 2004, presents the FDIC's findings on unauthorized access to financial institution accounts and how the financial industry and its regulators can mitigate these risks. Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks- PDF 245k (PDF Help) Federal Deposit Insurance Corporation 6/16/2004 This study presents the FDIC's findings with regards to the associated risks of offshore outsourcing (also known as "offshoring") by financial institutions from a safety and soundness perspective and with particular emphasis on the threats posed to customer privacy. Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes Federal Deposit Insurance Corporation 3/12/2004 The FDIC is alerting financial institutions to the increasing prevalence of e-mail and Internet-related fraudulent schemes targeting financial institution customers. Guidance on Identity Theft and Pretext Calling Federal Deposit Insurance Corporation 5/9/2001 Addresses how banks should protect customer information against identity theft. Also included is guidance on completing Suspicious Activity Reports to report offenses associated with identity theft and pretext calling, i.e., posing as a customer or someone authorized to have customer information in order to obtain confidential customer data. Guidance on Identity Theft and Pretext Calling (5/9/01). How to Avoid Becoming A Victim of Identity Theft - PDF 162k (PDF Help) Office of the Comptroller of the Currency 4/30/2001 Trifold consumer brochure on avoiding identity theft. Identity Theft and Pretext Calling - Word 69k (Word Help) Office of the Comptroller of the Currency 4/30/2001 Informs national banks about two areas of consumer bank, fraud identity theft and pretext calling, and advises them about measures to prevent and detect these types of fraud. Also supplements the interagency guidelines establishing standards to safeguard customer information by focusing on the protection of customer information specifically against identity theft and pretext calling. Issued as AL 2001-4 Identity Theft and Pretext Calling Federal Reserve Board 4/26/2001 Addresses how state member banks and other banking organizations supervised by the FRB that provide products or services to the public or that maintain customer account information should protect customer information against identity theft. Also provides guidance on completing Suspicious Activity Reports that report offenses associated with identity theft and pretext calling. Issued as SR 01-11 Information Security Information Security - PDF (PDF Help) FFIEC 7/27/06 The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet is one of twelve that, in total, comprise the FFIEC IT Examination Handbook. In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes. The guidance updates the 2002 Information Security Booklet and addresses changes in technology, risk assessments, mitigation strategies, and regulatory guidance. The discussion of risk assessment has been expanded to reflect the maturation of that process related to information security. New or revised material is included regarding authentication, monitoring programs, and software trustworthiness. Many additional topics including malware, wireless, remote access, and trust services have also been incorporated or revised. Interagency Guidelines Establishing Information Security Standards Small-Entity Compliance GuideJoint Agency Release December 14, 2005 This Small-Entity Compliance Guide1 is intended to help financial institutions2 comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines).3 The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs. Guidance on Implementing a Fraud Hotline Federal Deposit Insurance Corporation August 16, 2005 The Federal Deposit Insurance Corporation (FDIC) encourages financial institutions to consider implementing a fraud hotline to assist in their enterprise risk management, corporate governance and fraud protection efforts. The FDIC has established guidelines for institution management to consider when implementing a fraud hotline to ensure its overall effectiveness. Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice- PDF 550k (PDF Help) Interagency 3/23/2005 The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The guidance interprets the agencies’ customer information security standards and states that financial institutions should implement a response program to address security breaches involving customer information. Management Booklet Federal Financial Institutions Examination Council 7/15/2004 The Management Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' information technology activities. Sound IT management is critical to the performance and success of a financial institution. An institution capable of aligning its IT activities to support its business strategies adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall strategic planning and corporate governance efforts. Outsourcing Technology Services Booklet Federal Financial Institutions Examination Council 7/15/2004 The Outsourcing Technology Services Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' outsourcing IT activities, including service provider selection, contract issues, and ongoing monitoring of the relationship. The booklet also includes guidance on the risks and risk-management issues unique to foreign service providers. Outsourcing of an activity does not relieve management and the board of directors of their responsibility to ensure the institution's data are processed in a secure environment and the integrity of the data is maintained. Thus, ongoing monitoring of the relationship is crucial to ensure key terms of service level agreements are followed, confidentiality of information is safeguarded, and the service provider maintains operational stability. Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks- PDF 245k (PDF Help) Federal Deposit Insurance Corporation 6/16/2004 This study presents the FDIC's findings with regards to the associated risks of offshore outsourcing (also known as "offshoring") by financial institutions from a safety and soundness perspective and with particular emphasis on the threats posed to customer privacy. Guidance on Developing an Effective Computer Virus Protection Program Federal Deposit Insurance Corporation 6/7/2004 The FDIC is issuing guidance to financial institutions about the importance of maintaining an effective computer virus protection program. The guidance provides information on the risks associated with computer viruses and how these risks can be mitigated. Financial institutions rely on the Internet to conduct business transactions and to communicate with customers, vendors and other business partners. Commonly used electronic mail applications are susceptible to computer viruses that may be embedded in e-mails and e-mail file attachments. Therefore, it is important that management understand the risks of computer viruses and take appropriate action to protect computer systems. This guidance is designed to complement the FFIEC Information Security IT Examination Handbook, issued December 2002, and to supplement Financial Institution Letter 68-99, "Risk Assessment Tools and Practices for Information System Security." Issued as FIL-62-2004 Development and Acquisition Federal Financial Institutions Examination Council 5/27/2004 The Development and Acquisition Booklet describes common project management activities and emphasizes the benefits of using well-structured project management techniques. The booklet details general project management standards, procedures, and controls and discusses various development, acquisition, and maintenance project risks. Action summaries highlight the primary considerations within each section. Guidance on Developing an Information System Patch Management Program to Address Software Vulnerabilities Federal Deposit Insurance Corporation 5/29/2003 The FDIC is providing guidance to financial institutions about the importance of maintaining an effective computer software patch management program. This guidance provides institutions with background information on the risks associated with software vulnerabilities and how they can be mitigated through an effective patch management program. Information Technology Examination Procedures Federal Deposit Insurance Corporation 10/9/2002 The Federal Deposit Insurance Corporation (FDIC) is launching a new program for assessing information technology (IT) risk at FDIC-supervised financial institutions. The program incorporates a new philosophy for categorizing institutions' use of technology and their consequential exposure to technology risk, along with updated and more risk-focused IT examination procedures. Electronic Access - PDF 58k (PDF Help) Federal Reserve Board 6/1/2002 This operating circular sets forth the terms under which an institution may access certain services provided by a Reserve Bank, and under which an institution may sent certain data to or receive certain data from, a Reserve Bank, by means of electronic connection(s). Funds Transfer through Fedwire - PDF 60k (PDF Help) Federal Reserve Board 1/2/2002 Operating Circular relating to transfer of Funds via Fedwire Network Security Vulnerabilities - Word (Word Help) Office of the Comptroller of the Currency 4/24/2001 Alerts banks to potential threats in electronic banking systems and reminds banks and service providers to identify and correct network security vulnerabilities. Recent National Infrastructure Protection Center (NIPC) advisories report an increase in unauthorized activities targeting e-commerce Web sites and identify some common and frequently utilized vulnerabilities in commercially available hardware and software. These vulnerabilities may allow unauthorized access to bank and service provider systems. Unauthorized intrusions threaten the confidentiality, integrity, and availability of bank information systems and customer information. Issued as Alert 2001-4 (4-24-01). Comptroller’s Corporate Manual on The Internet and The National Bank Charter - PDF 222k (PDF Help) Office of the Comptroller of the Currency 1/1/2001 This booklet provides guidance on these processes and the special issues and considerations presented by proposals for these types of banks. The Internet and The National Bank Charter (January 2001). Digital Signature Deployment Issues Federal Deposit Insurance Corporation 10/30/2000 Describes four critical issues to consider when deploying digital signature technology. Bank Technology Bulletin (9/30/00). Infrastructure Threats - Intrusion Risks Office of the Comptroller of the Currency 5/15/2000 Infrastructure Threats-Intrusion Risks - Message to Bankers and Examiners Guidance on preventing, detecting, and responding to intrusions into bank computer systems. Issued as OCC Bulletin 2000-14 (5/15/00). Outsourcing of Information and Transaction Processing Federal Reserve Board 2/29/2000 Provides supervisory expectations regarding the management of risks that may arise from outsourcing critical information and transaction processing activities by banking organizations. Issued as SR 00-4 (2/29/00). Information Technology Examination Frequency Federal Reserve Board 2/29/2000 Eliminates separate information technology exams and highlights that safety and soundness exams should include an assessment and evaluation of information technology risks and risk management. Also discusses exam frequency for service providers. Issued as SR 00-3 (2/29/00). Internet Security: Distributed Denial of Service Attacks Office of the Comptroller of the Currency 2/11/2000 Recommends institutions review and update their capacity for responding to distributed denial of service attacks and other information security threats. These attacks can interrupt customer access to Internet web sites by flooding the targeted sites with more information than computers can handle. Issued as Alert 2000-1 (2/11/00). Risk Assessment Tools and Practices for Information System Security Federal Deposit Insurance Corporation 7/7/1999 Emphasizes components of a sound information security program: prevention, detection, and response. Supplements FIL-131-97, Security Risks Associated with the Internet (12/18/97), and complements FDIC’s safety and soundness electronic banking examination procedures. Issued as FIL-68-99 (7/7/99). Certification Authority Systems Office of the Comptroller of the Currency 5/4/1999 Defines elements of certification authority systems, describes role of banks in emerging systems, and refers bankers and examiners to OCC Bulletin 98-38, "Technology Risk Management: PC Banking -- Guidance for Bankers and Examiners" and OCC Bulletin 98-3, "Technology Risk Management: Guidance for Bankers and Examiners" Issued as OCC Bulletin 99-20 (5/4/99). Infrastructure Threats from Cyber-Terrorists Office of the Comptroller of the Currency 3/5/1999 Identifies threats and vulnerabilities created by cyber-terrorism to financial services industry. Issued as OCC Bulletin 99-9 (3/5/99). Security Risks Associated with the Internet Federal Deposit Insurance Corporation 12/18/1997 Identifies risks to information system security associated with Internet use. Complements FDIC’s safety and soundness examination procedures for electronic banking activities. Issued as FIL-131-97 (12/18/97). Sound Practices Guidance for Information Security for Networks Federal Reserve Board 12/4/1997 Guidance for protecting information and ensuring integrity, availability, and confidentiality. Issued as SR 97-32 (12/4/97). Information Technology - PDF 89k (PDF Help) Office of Thrift Supervision 10/15/1997 Updates the OTS examination guidelines for the use of information technology and distributes revised Thrift Activities Regulatory Handbook Section 341, Information Technology (previously titled Electronic Data Processing Controls). Issued as RB 32-6 (10/15/97). Risk Management and Client/Server Systems Joint Agency Release 10/8/1996 FFIEC statement to alert board of directors and senior management of financial institutions to risks associated with client/server computing, and encourages development and implementation of sound policies, practices, and procedures and controls over client/server computing environments. Issued as FIL-82-96 (10/8/96). Social Security Numbers As Personal Identification Numbers - PDF (PDF Help) Office of the Comptroller of the Currency 7/24/1991 Alerts banks and examiners to potential security breaches or fraud through unauthorized access to customer accounts. Issued as AL 91-4 (7/24/91). Information Security Booklet Federal Financial Institutions Examination Council Member agencies of the Federal Financial Institutions Examination Council (FFIEC) defined such a process-based approach to security in the “Guidelines Establishing Standards to Safeguard Customer Information” to implement section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA). The guidelines afford the FFIEC agencies enforcement options if financial institutions do not establish and maintain adequate information security programs. This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operations, and serves as a supplement to agency GLBA 501(b) expectations. Financial institutions may outsource some or all of their information processing. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution. This booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook. It updates and rescinds the security-related guidance in that handbook, including Chapters 12-14. Information Sharing
USA PATRIOT Act - Section 314, Information Sharing
FFIEC 8/15/06 The Federal Financial Institutions Examination Council (FFIEC) member agencies today released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005. The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues. Information Security - PDF (PDF Help)FFIEC 7/27/06 The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet is one of twelve that, in total, comprise the FFIEC IT Examination Handbook. In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes. The guidance updates the 2002 Information Security Booklet and addresses changes in technology, risk assessments, mitigation strategies, and regulatory guidance. The discussion of risk assessment has been expanded to reflect the maturation of that process related to information security. New or revised material is included regarding authentication, monitoring programs, and software trustworthiness. Many additional topics including malware, wireless, remote access, and trust services have also been incorporated or revised. Bank Secrecy Act/Anti-Money Laundering Examination Manual - PDF (PDF Help)FFIEC 7/27/2006 The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual reflects the ongoing commitment of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual’s 2005 release. The revisions also draw upon feedback from the banking industry and examination staff. Don't Be an On-line Victim: How to Guard Against Internet Thieves and Electronic Scams Federal Deposit Insurance Corporation January 26, 2006 The Federal Deposit Insurance Corporation (FDIC) has produced a multimedia presentation to help consumers protect themselves from identity theft. The presentation provides information on steps consumers should take to secure their computer and protect themselves from identity theft, as well as actions consumers should take if they become a victim of identity theft. Financial institutions are encouraged to make the link available to their customers from their websites. You Can Fight Identity Theft Interagency September 8, 2005 The federal bank, thrift and credit union agencies have announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as “phishing.” The term is a play on the word “fishing,” and that’s exactly what Internet thieves are doing – fishing for confidential financial information, such as account numbers and passwords. With enough information, a con artist can run up bills on another person’s credit card or, in the worst case, even steal that person’s identity. Voice over Internet Protocol (VoIP) Informational Supplement Federal Deposit Insurance Corporation July 27, 2005 The FDIC is providing guidance to financial institutions on the security risks associated with voice over Internet protocol (VoIP). VoIP refers to the delivery of traditional telephone voice communications over the Internet. Best Practices on Spyware Prevention and Detection Federal Deposit Insurance Corporation July 22, 2005 The FDIC is issuing guidance to financial institutions recommending an effective spyware prevention and detection program based on an institution's risk profile. This guidance and the attached informational supplement discuss the risks associated with spyware from both a bank and consumer perspective and provide recommendations to mitigate these risks. Guidance on How Financial InstitutionsCan Protect Against Pharming Attacks Federal Deposit Insurance Corporation July 18, 2005 The Federal Deposit Insurance Corporation (FDIC) has prepared guidance for financial institutions on the risks posed by "pharming" and strategies that can help mitigate those risks. "Pharming" is the practice of redirecting Internet domain name requests to false Web sites in order to capture personal information, which may later be used to commit fraud and identity theft. Threats from Fraudulent Bank Web Sites- Word (Word Help) Office of the Comptroller of the Currency 7/1/2005 The bulletin addresses procedures banks can implement to mitigate the risks to themselves and their customers by detecting and responding to Web-site spoofing. It also identifies the types of information banks can provide to law enforcement authorities to assist in investigating illegal activities. This bulletin expands on OCC Alert 2003-11, "Customer Identity Theft: E-mail-Related Fraud Threats," September 12, 2003. Phish brochure (large file format) - PDF 3,268k (PDF Help) Phish brochure (small file format) - PDF 224k (PDF Help) Joint Agency release 9/8/2004 The federal bank, thrift and credit union agencies today announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as "phishing." The term is a play on the word "fishing," and that's exactly what Internet thieves are doing - fishing for confidential financial information, such as account numbers and passwords. With enough information, a con artist can run up bills on another person's credit card or, in the worst case, even steal that person's identity. Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes Federal Deposit Insurance Corporation 3/12/2004 The FDIC is alerting financial institutions to the increasing prevalence of e-mail and Internet-related fraudulent schemes targeting financial institution customers. Weblinking Joint Agency Release 4/23/2003 Federal bank and credit union regulatory agencies have issued guidance to assist financial institutions in identifying risks posed by the use of weblinks on their websites, and to suggest a variety of risk-management techniques that institutions should consider using to mitigate those risks. This guidance applies to institutions that develop and maintain their own websites, as well as institutions that use third-party service providers for this ACH Transactions Involving the Internet: Guidance and Examination Procedures - Word 102k (Word Help) Office of the Comptroller of the Currency 1/14/2002 Highlights the risks associated with automated clearing house (ACH) transactions that involve the use of the Internet and proves guidance for managing those risks. This bulletin incorporates and replaces OCC Advisory Letter 2001-3 (Internet-Initiated ACH Debits/ACH Risks (1/29/01)) (described below). Issued as OCC Bulletin 2002-2 (1/14/02). Authentication In An Electronic Banking Environment Joint Agency Release 7/30/2001 Reviews the risks and risk management controls of a number of existing and emerging authentication tools necessary to initially verify the identity of new customers and authenticate existing customers that access electronic banking services. This guidance applies to both retail and commercial customers and is intended to be technology neutral. Financial institutions may use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a third party service provider. Issued as FFIEC Authentication Guidance by FDIC, FRB, OTS and OCC. Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information - PDF 131k (PDF Help) Office of the Comptroller of the Currency 7/18/2001 Provides risk-based procedures that allow examiners to tailor the exam scope according to the size and complexity of the bank, the nature and scope of its activities, and the level of risk assumed by the institution. Typically, OCC examiners will use these procedures in the OCC’s largest banks, which have complex IT environments, significant information security concerns, or where less experienced examiners need more detailed guidance. Issued as Examination Procedures (7/18/01). Weblinking - Word 80k (Word Help) Office of the Comptroller of the Currency 7/3/2001 Highlights risks involved in weblinking relationships with third parties and provides risk management guidance to banks’ on weblinking relationships with affiliated and unaffiliated third parties. Issued as OCC Bulletin 2001-31(7/3/01). Network Security Vulnerabilities - Word (Word Help) Office of the Comptroller of the Currency 4/24/2001 Alerts banks to potential threats in electronic banking systems and reminds banks and service providers to identify and correct network security vulnerabilities. Recent National Infrastructure Protection Center (NIPC) advisories report an increase in unauthorized activities targeting e-commerce Web sites and identify some common and frequently utilized vulnerabilities in commercially available hardware and software. These vulnerabilities may allow unauthorized access to bank and service provider systems. Unauthorized intrusions threaten the confidentiality, integrity, and availability of bank information systems and customer information. Issued as Alert 2001-4 (4-24-01). Bank-Provided Account Aggregation Services - Word 55k (Word Help) Office of the Comptroller of the Currency 2/28/2001 Discusses the risks of bank-provided account aggregation services, and suggests control mechanisms banks should consider when they offer aggregation services. Issued as OCC Bulletin 2001-12 (3/2/01) Internet-Initiated ACH Debits/ACH Risks - Word (Word Help) Office of the Comptroller of the Currency 1/29/2001 Alerts banks to specific Automated Clearing House (ACH) risks and emphasizes the importance of sound ACH risk management practices. Banks that transmit certain Internet-initiated ACH debits will be deemed to warrant that their customers who originate the entries use security measures that meet minimum standards of the National Automated Clearing House Association. Issued as AL 2001-3 (1/29/01). Protecting Internet Domain Names - PDF (PDF Help) Federal Deposit Insurance Corporation 11/9/2000 Alerts senior bank management to potential domain name-related problems and highlights action that may help to avoid or resolve such problems. Bank Technology Bulletin (11/9/00). Tips for Safe Banking Over the Internet Federal Deposit Insurance Corporation 9/21/2000 Tips for Safe Banking Over the Internet - An FDIC Brochure for Bank Customers. This brochure offers information and tips to help bank customers who are thinking about or already using online banking systems. It describes how to:
Office of the Comptroller of the Currency 7/19/2000 Highlights need for banks to carefully select and protect Internet addresses. Issued as Alert 2000-9 (7/19/00). Internet Security: Distributed Denial of Service Attacks Office of the Comptroller of the Currency 2/11/2000 Recommends institutions review and update their capacity for responding to distributed denial of service attacks and other information security threats. These attacks can interrupt customer access to Internet web sites by flooding the targeted sites with more information than computers can handle. Issued as Alert 2000-1 (2/11/00). OCC Examination Handbook on Internet Banking - PDF 226k (PDF Help) Office of the Comptroller of the Currency 10/14/1999 National Bank examination procedures for Internet banking activities. Internet Banking Handbook (10/14/99). Certification Authority Systems Office of the Comptroller of the Currency 5/4/1999 Defines elements of certification authority systems, describes role of banks in emerging systems, and refers bankers and examiners to OCC Bulletin 98-38, "Technology Risk Management: PC Banking -- Guidance for Bankers and Examiners" and OCC Bulletin 98-3, "Technology Risk Management: Guidance for Bankers and Examiners" Issued as OCC Bulletin 99-20 (5/4/99). Infrastructure Threats from Cyber-Terrorists Office of the Comptroller of the Currency 3/5/1999 Identifies threats and vulnerabilities created by cyber-terrorism to financial services industry. Issued as OCC Bulletin 99-9 (3/5/99). Security Risks Associated with the Internet Federal Deposit Insurance Corporation 12/18/1997 Identifies risks to information system security associated with Internet use. Complements FDIC’s safety and soundness examination procedures for electronic banking activities. Issued as FIL-131-97 (12/18/97). Money Laundering
Bank Secrecy Act/Anti-Money Laundering Examination Manual - PDF (PDF Help)
Nondeposit Investment Sales Appendices A-C
- PDF 87k (PDF Help)
Guidance on Identity Theft and Pretext Calling
You Can Fight Identity Theft FFIEC 8/15/06 The Federal Financial Institutions Examination Council (FFIEC) member agencies today released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005. The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues. Guidance on Implementing a Fraud HotlineFederal Deposit Insurance Corporation August 16, 2005 The Federal Deposit Insurance Corporation (FDIC) encourages financial institutions to consider implementing a fraud hotline to assist in their enterprise risk management, corporate governance and fraud protection efforts. The FDIC has established guidelines for institution management to consider when implementing a fraud hotline to ensure its overall effectiveness. Instructions for Completing the Information Technology Examination Officer's Questionnaire Federal Deposit Insurance Corporation August 18, 2005 The FDIC has updated its risk-focused information technology (IT) examination procedures for FDIC-supervised financial institutions. The FDIC's new risk-focused IT examination procedures focus on the financial institution’s information security program and risk-management practices for securing information assets. The IT Examination Officer's Questionnaire must be completed and signed by an officer of the financial institution and returned to the FDIC examiner-in-charge prior to the on-site portion of the examination. The new examination procedures apply to all FDIC-supervised financial institutions, regardless of size, technical complexity or prior examination rating. IT examination findings and a single IT "composite" rating will be included in the consolidated Risk Management Report of Examination. NACHA Rule Changes Office of the Comptroller of the Currency 12/20/2004 The purpose of this OCC bulletin is to advise national banks and examiners of three amendments to National Automated Clearing House Association (NACHA) Operating Rules that became effective in 2004. As part of an effective risk management program, banks should implement procedures to ensure compliance with these and all other NACHA Operating Rules and related Office of the Comptroller of the Currency (OCC) and Federal Financial Institutions Examination Council (FFIEC) guidance. This bulletin supplements guidance on Automated Clearing House (ACH) activities outlined in the FFIEC IT Handbook, "Retail Payment Systems," dated March 2004. FFIEC Guidance on the use of Free and Open Source Software - PDF 45k (PDF Help) Federal Financial Institutions Examination Council 12/6/2004 The federal banking, thrift, and credit union regulatory agencies have published guidance for examiners, financial institutions, and technology service providers on the acquisition and use of free and open source software (FOSS). FOSS refers to software that users are permitted to run, study, modify, and redistribute without paying a licensing fee. Some of the most well-known examples of FOSS are the Linux operating system, Apache web server, and mySQL database. Computer Software Due Diligence Guidance on Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory Compliance Federal Deposit Insurance Corporation 11/16/2004 The FDIC is issuing guidance to financial institutions on performing proper due diligence when selecting computer software or a service provider. This due diligence includes making sure that the software or service provider is compliant with applicable laws, including the Bank Secrecy Act, which includes the USA PATRIOT Act. Remittances: A Gateway to Banking for Unbanked Immigrants - PDF (PDF Help) Office of the Comptroller of the Currency 9/15/2004 This edition of Community Developments Insights addresses the role of banks in providing money transfer services. and describes how banks can use these products to attract unbanked immigrants into the banking system. It also addresses some of the key risks and regulatory issues presented by bank involvement in these products. This publication also addresses a number of legal, compliance, and operational considerations that financial institutions should be aware of when offering remittance products. These include money laundering, customer identification, and third party provider risk. Wholesale Payment Systems Booklet Federal Financial Institutions Examination Council 8/26/2004 The Wholesale Payment Systems Booklet provides guidance on the risks and risk management practices applicable to financial institutions' wholesale payment systems activities, including interbank and intrabank payment, messaging, and securities settlement systems. Wholesale payment system activities require careful planning and coordination between IT and business units, and their operation must include strong internal controls and ongoing monitoring. The Wholesale Payment Systems Booklet includes examination procedures to evaluate the quality of risk management related to these activities in financial institutions and technology service providers. Operations Booklet Federal Financial Institutions Examination Council 8/26/2004 The Operations Booklet provides guidance on the risks and risk management practices applicable to financial institutions' technology operations. Effective support and delivery from IT operations are vital to a financial institution's performance and success. The booklet discusses tactical and strategic support and delivery risks and the controls that should be in place to address them. The booklet also includes examination procedures to evaluate the quality of risk management related to these activities in financial institutions and technology service providers. Guidance on Instant Messaging Federal Deposit Insurance Corporation 7/21/2004 This guidance identifies risks associated with public Internet instant messaging (IM)1 and how they can be mitigated through an effective management program. Public IM may be used by employees both officially and unofficially in work environments. The use of public IM may expose financial institutions to security, privacy, and legal liability risks because of the ability to download copyrighted files. Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communication. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations. Management Booklet Federal Financial Institutions Examination Council 7/15/2004 The Management Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' information technology activities. Sound IT management is critical to the performance and success of a financial institution. An institution capable of aligning its IT activities to support its business strategies adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall strategic planning and corporate governance efforts. Outsourcing Technology Services Booklet Federal Financial Institutions Examination Council 7/15/2004 The Outsourcing Technology Services Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' outsourcing IT activities, including service provider selection, contract issues, and ongoing monitoring of the relationship. The booklet also includes guidance on the risks and risk-management issues unique to foreign service providers. Outsourcing of an activity does not relieve management and the board of directors of their responsibility to ensure the institution's data are processed in a secure environment and the integrity of the data is maintained. Thus, ongoing monitoring of the relationship is crucial to ensure key terms of service level agreements are followed, confidentiality of information is safeguarded, and the service provider maintains operational stability. Development and Acquisition Federal Financial Institutions Examination Council 5/27/2004 The Development and Acquisition Booklet describes common project management activities and emphasizes the benefits of using well-structured project management techniques. The booklet details general project management standards, procedures, and controls and discusses various development, acquisition, and maintenance project risks. Action summaries highlight the primary considerations within each section. Retail Payment Systems Federal Financial Institutions Examination Council 3/31/2004 The FFIEC IT Examination Handbook (IT Handbook), "Retail Payment Systems Booklet" (booklet), provides guidance to examiners, financial institutions, and technology service providers (TSP) on identifying and controlling information technology (IT)-related risks associated with retail payment systems and related banking activities. Financial institutions, either in consortiums or acting independently, remain the core providers to businesses and consumers for most retail payment instruments and services. This booklet replaces chapters 20, "Retail EFT (ATM and POS)" and 21, "Automated Clearing House (ACH)," in the 1996 FFIEC Information Systems Examination Handbook. The booklet presents retail payment systems examination guidance in three parts, followed by examination procedures, a glossary, and references. Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes Federal Deposit Insurance Corporation 3/12/2004 The FDIC is alerting financial institutions to the increasing prevalence of e-mail and Internet-related fraudulent schemes targeting financial institution customers. Internal and External Audits - PDF 501k (PDF Help) Office of the Comptroller of the Currency 4/1/2003 This booklet discusses the OCC's expectations for effective audit functions and will help examiners and bankers assess the quality and effectiveness of internal and external programs appropriate for a bank's size, complexity of activities, scope of operations and risk profile. Information Technology Examination Procedures Federal Deposit Insurance Corporation 10/9/2002 The Federal Deposit Insurance Corporation (FDIC) is launching a new program for assessing information technology (IT) risk at FDIC-supervised financial institutions. The program incorporates a new philosophy for categorizing institutions' use of technology and their consequential exposure to technology risk, along with updated and more risk-focused IT examination procedures. External Audits - PDF 103k (PDF Help) Office of Thrift Supervision 7/1/2002 Guidance on the external audits of thrifts and savings associations Interagency Policy Statement on the Internal Audit Function and its Outsourcing - PDF 431k (PDF Help) Joint Agency Release 5/17/2002 The policy statement sets forth key characteristics of the auditing function, discusses the outsourcing of audit functions and the effect of Sarbanes-Oxley on financial institutions. Bank Use of Foreign-Based Third-Party Service Providers - PDF 159k (PDF Help) Office of the Comptroller of the Currency 5/15/2002 This bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank's operations. Guidance on Managing Risks Associated with Wireless Networks and Wireless Customer Access Federal Deposit Insurance Corporation 2/1/2002 HTML Provides guidance on the risks financial institutions face when implementing wireless technology. Issued as FIL 8-2002 (2/01/02). Internal Audits - PDF 59k (PDF Help) Office of Thrift Supervision 2/1/2002 Guidance on the internal audits of thrifts and savings associations ACH Transactions Involving the Internet: Guidance and Examination Procedures - Word 102k (Word Help) Office of the Comptroller of the Currency 1/14/2002 Highlights the risks associated with automated clearing house (ACH) transactions that involve the use of the Internet and proves guidance for managing those risks. This bulletin incorporates and replaces OCC Advisory Letter 2001-3 (Internet-Initiated ACH Debits/ACH Risks (1/29/01)) (described below). Issued as OCC Bulletin 2002-2 (1/14/02). Third-Party Relationships - Word 89k (Word Help) Office of the Comptroller of the Currency 11/1/2001 Provides guidance on managing risks that may arise from business relationships with third parties. Issued as OCC Bulletin 2001-47 (11/1/01) Authentication In An Electronic Banking Environment Joint Agency Release 7/30/2001 Reviews the risks and risk management controls of a number of existing and emerging authentication tools necessary to initially verify the identity of new customers and authenticate existing customers that access electronic banking services. This guidance applies to both retail and commercial customers and is intended to be technology neutral. Financial institutions may use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a third party service provider. Issued as FFIEC Authentication Guidance by FDIC, FRB, OTS and OCC. Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information - PDF 131k (PDF Help) Office of the Comptroller of the Currency 7/18/2001 Provides risk-based procedures that allow examiners to tailor the exam scope according to the size and complexity of the bank, the nature and scope of its activities, and the level of risk assumed by the institution. Typically, OCC examiners will use these procedures in the OCC’s largest banks, which have complex IT environments, significant information security concerns, or where less experienced examiners need more detailed guidance. Issued as Examination Procedures (7/18/01). Effective Practices for Selecting a Service Provider Federal Deposit Insurance Corporation 6/4/2001 A resource for banks in addressing specific challenges relating to technology outsourcing. Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements Federal Deposit Insurance Corporation 6/4/2001 A resource for banks in addressing specific challenges relating to technology outsourcing. Techniques for Managing Multiple Service Providers Federal Deposit Insurance Corporation 6/4/2001 A resource for banks in addressing specific challenges relating to technology outsourcing. Bank-Provided Account Aggregation Services - Word 55k (Word Help) Office of the Comptroller of the Currency 2/28/2001 Discusses the risks of bank-provided account aggregation services, and suggests control mechanisms banks should consider when they offer aggregation services. Issued as OCC Bulletin 2001-12 (3/2/01) Internet-Initiated ACH Debits/ACH Risks - Word (Word Help) Office of the Comptroller of the Currency 1/29/2001 Alerts banks to specific Automated Clearing House (ACH) risks and emphasizes the importance of sound ACH risk management practices. Banks that transmit certain Internet-initiated ACH debits will be deemed to warrant that their customers who originate the entries use security measures that meet minimum standards of the National Automated Clearing House Association. Issued as AL 2001-3 (1/29/01). Comptroller’s Corporate Manual on The Internet and The National Bank Charter - PDF 222k (PDF Help) Office of the Comptroller of the Currency 1/1/2001 This booklet provides guidance on these processes and the special issues and considerations presented by proposals for these types of banks. The Internet and The National Bank Charter (January 2001). Risk Management of Technology Outsourcing - PDF 135k (PDF Help) Joint Agency Release 11/28/2000 FFIEC guidance focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services. Issued by FDIC, FRB, OCC, OTS Guidance (11/28/00). Digital Signature Deployment Issues Federal Deposit Insurance Corporation 10/30/2000 Describes four critical issues to consider when deploying digital signature technology. Bank Technology Bulletin (9/30/00). Infrastructure Threats - Intrusion Risks Office of the Comptroller of the Currency 5/15/2000 Infrastructure Threats-Intrusion Risks - Message to Bankers and Examiners Guidance on preventing, detecting, and responding to intrusions into bank computer systems. Issued as OCC Bulletin 2000-14 (5/15/00). Outsourcing of Information and Transaction Processing Federal Reserve Board 2/29/2000 Provides supervisory expectations regarding the management of risks that may arise from outsourcing critical information and transaction processing activities by banking organizations. Issued as SR 00-4 (2/29/00). Information Technology Examination Frequency Federal Reserve Board 2/29/2000 Eliminates separate information technology exams and highlights that safety and soundness exams should include an assessment and evaluation of information technology risks and risk management. Also discusses exam frequency for service providers. Issued as SR 00-3 (2/29/00). Internet Security: Distributed Denial of Service Attacks Office of the Comptroller of the Currency 2/11/2000 Recommends institutions review and update their capacity for responding to distributed denial of service attacks and other information security threats. These attacks can interrupt customer access to Internet web sites by flooding the targeted sites with more information than computers can handle. Issued as Alert 2000-1 (2/11/00). OCC Examination Handbook on Internet Banking - PDF 226k (PDF Help) Office of the Comptroller of the Currency 10/14/1999 National Bank examination procedures for Internet banking activities. Internet Banking Handbook (10/14/99). Risk Assessment Tools and Practices for Information System Security Federal Deposit Insurance Corporation 7/7/1999 Emphasizes components of a sound information security program: prevention, detection, and response. Supplements FIL-131-97, Security Risks Associated with the Internet (12/18/97), and complements FDIC’s safety and soundness electronic banking examination procedures. Issued as FIL-68-99 (7/7/99). Certification Authority Systems Office of the Comptroller of the Currency 5/4/1999 Defines elements of certification authority systems, describes role of banks in emerging systems, and refers bankers and examiners to OCC Bulletin 98-38, "Technology Risk Management: PC Banking -- Guidance for Bankers and Examiners" and OCC Bulletin 98-3, "Technology Risk Management: Guidance for Bankers and Examiners" Issued as OCC Bulletin 99-20 (5/4/99). Infrastructure Threats from Cyber-Terrorists Office of the Comptroller of the Currency 3/5/1999 Identifies threats and vulnerabilities created by cyber-terrorism to financial services industry. Issued as OCC Bulletin 99-9 (3/5/99). Electronic Banking Examination Procedures Federal Deposit Insurance Corporation Rev. 2/2000 Provides guidance for information systems specialists to evaluate electronic banking standards and associated risks. DOS Exam Modules (9/1/98) Technology Risk Management: PC Banking -- Guidance for Bankers and Examiners Office of the Comptroller of the Currency 8/24/1998 Guidance on how to identify, measure, monitor, and control risks arising from the use of retail personal computer banking. Issued as OCC Bulletin 98-38 (8/24/98). Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations Federal Reserve Board 4/20/1998 HTML Provides examiners guidance to assess IT risks when evaluating Community Banks and Large Complex Banking Organizations. (Supplements SR 97-25, Risk-Focused Framework for Supervision of Community Banks, and SR 97-24, Risk-Focused Framework for Large Complex Institutions.) Issued as SR 98-9 (4/20/98). Technology Risk Management: Guidance for Bankers and Examiners Office of the Comptroller of the Currency 2/4/1998 Guidance on how national banks should identify, measure, monitor, and control risks associated with the use of technology. Issued as OCC Bulletin 98-3 (2/4/98). Security Risks Associated with the Internet Federal Deposit Insurance Corporation 12/18/1997 Identifies risks to information system security associated with Internet use. Complements FDIC’s safety and soundness examination procedures for electronic banking activities. Issued as FIL-131-97 (12/18/97). Sound Practices Guidance for Information Security for Networks Federal Reserve Board 12/4/1997 HTML Guidance for protecting information and ensuring integrity, availability, and confidentiality. Issued as SR 97-32 (12/4/97). Information Technology - PDF 89k (PDF Help) Office of Thrift Supervision 10/15/1997 Updates the OTS examination guidelines for the use of information technology and distributes revised Thrift Activities Regulatory Handbook Section 341, Information Technology (previously titled Electronic Data Processing Controls). Issued as RB 32-6 (10/15/97). Statement on Retail Online Personal Computer Banking - PDF 152k (PDF Help) Office of Thrift Supervision 6/23/1997 Alerts board of directors and management to some of the risks and concerns of retail online PC banking. Issued as CEO Memo 70 (6/23/97). Risk Management and Client/Server Systems Joint Agency Release 10/8/1996 FFIEC statement to alert board of directors and senior management of financial institutions to risks associated with client/server computing, and encourages development and implementation of sound policies, practices, and procedures and controls over client/server computing environments. Issued as FIL-82-96 (10/8/96). Electronic Banking Activities – Overview of On-Line Banking - PDF 55k (PDF Help) Federal Deposit Insurance Corporation 6/16/1996 General information about online banking activities and related supervisory issues. Issued as RD Memo 96-040 (5/16/96). Business Continuity Planning Federal Financial Institutions Examination Council This Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning booklet provides guidance and examination procedures to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. Draft Community Bank Supervision booklet - PDF 180k (PDF Help) Office of the Comptroller of the Currency For community banks, the OCC has incorporated less detailed procedures in the Community Bank Supervision booklet of the Comptroller’s Handbook. Attached is an advanced copy of the IT section that focuses on the adequacy of a bank’s risk management processes and controls to promote integrity, availability and confidentiality of automated information systems. E-Banking Booklet Federal Financial Institutions Examination Council This booklet, one of several comprising the FFIEC Information Technology Examination Handbook (IT Handbook), provides guidance to examiners and financial institutions on identifying and controlling the risks associated with electronic banking (e-banking) activities. The booklet primarily discusses e-banking risks from the perspective of the services or products provided to customers. This approach differs from other booklets that discuss risks from the perspective of the technology and systems that support automated information processing. To avoid duplication of material, this booklet refers the reader to other IT Handbook booklets for detailed explanations of technology-specific issues or controls. Technology Risk Controls - PDF 104k (PDF Help) Office of Thrift Supervision Guidance for insuring the integrity of data input, to protect against corrpution of the data or the programming, abd to test the accuracy of the output. FedLine Booklet Federal Financial Institutions Examination Council The FedLine booklet addresses the risks, risk management practices, and mitigating controls necessary to establish and maintain an appropriate operating environment for the FedLine Funds Transfer (FT) application. Supervision of Technology Service Providers Federal Financial Institutions Examination Council The Supervision of Technology Service Providers booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook and rescinds chapters 2-7 of that handbook. This booklet primarily governs the supervision of technology service providers (TSPs) and briefly summarizes the Federal Financial Institutions Examination Council (FFIEC) member agencies’ (agencies) expectations of financial institutions in the oversight and management of their TSP relationships. This booklet outlines the agencies’ risk-based supervision approach, the supervisory process, and the examination ratings used for information technology (IT) service providers. In addition, this booklet discusses two special IT-related programs administered by the FFIEC agencies: the Multi-Regional Data Processing Servicer (MDPS) Program, geared towards examining large TSPs, and the Shared Application Software Review (SASR) Program aimed at reviewing mission-critical software packages. Information Security Booklet Federal Financial Institutions Examination Council Member agencies of the Federal Financial Institutions Examination Council (FFIEC) defined such a process-based approach to security in the “Guidelines Establishing Standards to Safeguard Customer Information” to implement section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA). The guidelines afford the FFIEC agencies enforcement options if financial institutions do not establish and maintain adequate information security programs. This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operations, and serves as a supplement to agency GLBA 501(b) expectations. Financial institutions may outsource some or all of their information processing. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution. This booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook. It updates and rescinds the security-related guidance in that handbook, including Chapters 12-14. Suspicious Activity Reports
New TD F 90-22.47 (SAR for Depository Institutions)
- PDF 180k (PDF Help)
Guidance for Financial Institutions on the Use of Foreign-Based Third-Party Service Providers
Electronic Financial Services and Consumer Compliance
- PDF 64k (PDF Help)
Electronic Financial Services and Consumer Compliance
- PDF 64k (PDF Help) |
|
|
Last Updated 6/12/2007 | legal@fdic.gov |
|
|
| Home Contact Us Search Help SiteMap Forms Freedom of Information Act (FOIA) Service Center Website Policies USA.gov |
| FDIC Office of Inspector General |