New Examination Procedures for Assessing Information Technology Risk
Over the last several years, many financial institutions have moved away from traditional mainframe-oriented computer processing environments and increased their reliance on newer technologies, such as networks, the Internet and enterprise-wide processing. As a result, the Federal Deposit Insurance Corporation (FDIC) is launching a new program for assessing information technology (IT) risk at FDIC-supervised financial institutions. The program incorporates a new philosophy for categorizing institutions' use of technology and their consequential exposure to technology risk, along with updated and more risk-focused IT examination procedures.
The FDIC will discontinue using terms such as "serviced," "turnkey" and "remote job entry" to describe an institution's level of technology risk for examination planning purposes. These terms no longer accurately reflect the true technology profile of an institution. Going forward, an institution's technology risk profile will be determined based on a review of core processing systems, internal networks, electronic banking products, connectivity to external networks, the location of sensitive information, and other technology components. This measurement of technology complexity will allow examiners to focus examination efforts on areas of high risk, while reducing resources at targeted, lower risk institutions.
The FDIC has developed two new work programs, which are attached: IT-MERIT (Maximum Efficiency, Risk-Focused, Institution Targeted) Procedures; and an IT General Work Program.
IT-MERIT examination procedures will be used by examiners conducting technology risk reviews at FDIC-supervised financial institutions with the least technology risk. These simplified procedures will greatly streamline the review process for institutions in this group.
The IT General Work Program was developed to improve efficiencies by consolidating several existing technology-related work programs into a single work program and eliminating redundant review areas. This work program will be used by examiners conducting technology risk reviews at FDIC-supervised financial institutions with low to moderate technology risk. It replaces several previously issued work programs, such as the Electronic Banking Work Program, Examination Procedures to Evaluate Customer Information Safeguards, the Community Bank Work Program and others.
Examiners will continue to use existing Federal Financial Institutions Examination Council (FFIEC) Work Programs for all financial institutions with greater technology risk.
Because nearly all financial institutions are exposed to some level of technology risk in today's business environment, a technology assessment rating will be assigned at all technology risk reviews. Currently, a technology assessment rating is not assigned to institutions described as "serviced." Institutions will receive a technology assessment rating in accordance with the following guidelines:
Financial institutions exposed to a very low level of technology risk (those for which IT-MERIT procedures are used) will be assigned only a composite Uniform Rating System for Information Technology (URSIT) rating.
Financial institutions exposed to low to moderate technology risk that are rated "1" or "2" at current examinations will be assigned only a composite URSIT rating.
Financial institutions exposed to low to moderate technology risk with any component rated "3," "4" or "5" or a composite rating of "3," "4" or "5" at the current examination will be assigned a full URSIT rating.
Financial institutions exposed to a high level of technology risk will be assigned a full URSIT rating.
For further information about the FDIC's new IT examination procedures, please contact your FDIC Division of Supervision and Consumer Protection Regional Office. Please share this information with your Chief Information Officer.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (800-276-6003 or (703) 562-2200).