Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.
Financial Institution Letter
FFIEC INFORMATION TECHNOLOGY EXAMINATION HANDBOOK


TO: CHIEF EXECUTIVE OFFICER (also of interest to Chief Information Officer)
SUBJECT: New Guidance for Examiners and Financial Institutions on Business Continuity Planning and Supervision of Technology Service Providers
Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued two booklets - one, with revised guidance for evaluating risk-management processes to ensure the availability of critical financial services, and the other covering the supervision and examination of services performed for financial institutions by technology service providers. The booklets are the second and third in a series of updates, which will eventually replace the 1996 FFIEC Information Systems Examination Handbook and comprise the new FFIEC Information Technology (IT) Examination Handbook .

On May 20, 2003, the Federal Financial Institutions Examination Council (FFIEC) issued revised guidance for examiners and financial institutions to use in evaluating risk- management processes to ensure the availability of critical financial services. This guidance - The Business Continuity Planning Booklet - is the second in a series of updates to the 1 996 FFIEC Information Systems Examination Handbook .

Sound business continuity planning allows financial institutions and technology service providers (TSPs) to respond to such adverse events as natural disasters, technological failures, human error and terrorism. Institutions and TSPs must be able to maintain or recover data, operations and customer services quickly and effectively after any adverse event. Because financial institutions play a crucial role in the economy, it is important their business operations be resilient and the effects of disruptions in service be minimized.

Concurrently, the FFIEC issued revised guidance for examiners that covers the supervision and examination of services performed for financial institutions by technology service providers. It outlines the agencies' risk-based supervision approach, the supervisory process and the examination ratings used for technology service providers. This guidance - The Supervision of Technology Service Providers Booklet - is the third in a series of updates to the 1996 FFIEC Information Systems Examination Handbook .

The FFIEC is issuing updates in separate booklets that will ultimately replace all chapters of the 1996 handbook and comprise the new FFIEC Information Technology (IT) Examination Handbook . Future booklets will address electronic banking, IT audits, payment systems, outsourcing, IT management, computer operations, and systems development and acquisition. These updates will address significant changes in technology since 1996 and incorporate a risk-based examination approach.

The FFIEC agencies plan to distribute these booklets electronically to financial institutions and TSPs via the Internet through the FFIEC's InfoBase application. The InfoBase will include each booklet in Adobe Acrobat PDF file format, as well as an online version with links to various resource materials and an orientation to the handbook update process.

The electronic versions of The Business Continuity Planning Booklet and The Supervision of Technology Service Providers Booklet, along with the already issued Information Security Booklet, are available at http://www.fdic.gov/regulations/information/information/FFIEC.html and www.ffiec.gov/guides.htm .

For more information about information security and business continuity planning, please contact your FDIC Division of Supervision and Consumer Protection Regional Office.

For your reference, FDIC Financial Institution Letters may be accessed from the FDIC's Web site at http://www.fdic.gov/news/financial-institution-letters/2003/index.html .



Michael J. Zamorski
Director

Distribution: FDIC-Supervised Banks (Commercial and Savings)

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342, option 5, or (703) 562-2200).


FIL-40-2003
Last Updated: May 22, 2003