Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Financial Institution Letter
Risk Management of Free and Open Source Software FFIEC Guidance
Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance to help institutions identify and implement appropriate risk-management practices when using "free and open source software" (FOSS). 


  • FOSS refers to software that users are allowed to run, study, modify and redistribute without paying a licensing fee. Well-known examples are the Linux operating system, Apache Web server and mySQL database.
  • The use of FOSS is increasing in the mainstream information technology and financial services communities.
  • The federal regulatory agencies believe that using FOSS does not impose risks to institutions that are fundamentally different from risks presented by proprietary or self-developed software. However, acquiring and using FOSS necessitates that institutions implement unique risk-management practices.
  • This guidance supplements the FFIEC IT Examination Handbook's Development and Acquisition Booklet by addressing strategic, operational and legal risk considerations in acquiring and using FOSS.

FDIC-Supervised Banks (Commercial and Savings) 

Suggested Routing: 
Chief Executive Officer 
Chief Technology Officer 
Chief Information Officer 

For your reference, FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at

To receive FILs electronically, please visit

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).

Additional Related Topics:

  • FFIEC IT Examination Handbook, Development and Acquisition Booklet
Last Updated: October 21, 2004