CHIEF EXECUTIVE OFFICER (also of interest to Chief Information Officer)
New Guidance for Examiners, Financial Institutions and Technology Service Providers on Electronic Banking, Information Technology (IT) Audits, and
the FedLine Electronic Funds Transfer Application
The Federal Financial Institutions Examination Council (FFIEC) has issued three booklets with guidance on: evaluating electronic banking activities; IT audits; and the FedLine electronic funds transfer application. The booklets are the fourth, fifth and sixth in a series of updates, which will eventually replace the 1996 FFIEC Information Systems Examination Handbook and comprise the new FFIEC Information Technology ( IT) Examination Handbook.
On September 30, 2003, the Federal Financial Institutions Examination Council (FFIEC) issued revised guidance for examiners, financial institutions and technology service providers on electronic banking (e-banking), IT audits, and the FedLine electronic funds transfer application. The guidance is contained in three booklets - the fourth, fifth and sixth in a series of updates to the 1996 FFIEC Information Systems Examination Handbook.
The E-Banking Booklet provides guidance on risks and risk-management practices applicable to a financial institution's e-banking activities. E-banking has created new opportunities for delivering traditional products and services to customers, as well as the potential to offer new products and services. Along with these opportunities are new challenges, including 24-hour, seven-days-a-week availability; Internet connectivity; increased access to systems and customer information; greater reliance on new service providers; and evolving regulations. These challenges can potentially increase threats to the institution's reputation, confidentiality of information, system and data integrity, system availability and regulatory compliance. E-banking activities require careful planning, coordinated strategies between IT and business units, integrated subject-matter expertise, strong controls, and ongoing monitoring and testing. The booklet includes guidance and examination procedures to evaluate the quality of risk management related to these threats and activities in financial institutions and technology service providers.
The Audit Booklet provides guidance on the risk-based IT audit practices of financial institutions and technology service providers. This booklet builds on the agencies' existing audit guidance and emphasizes the responsibilities of all levels of management, including the board of directors, for establishing a sound audit program. The booklet incorporates changes to the audit process
brought about by new legislation enacted since 1996, including the Gramm-Leach-Bliley Act of 1999 and the Sarbanes-Oxley Act of 2002.
The FedLine Booklet provides guidance on the appropriate control considerations for financial institutions using the Federal Reserve's FedLine application. FedLine provides community financial institutions with access to the Federal Reserve's Fedwire services to receive and send payment messages. To protect their access to this payment system, institutions must ensure its security and availability. The booklet describes policies and procedures necessary to operate FedLine in a safe and sound manner, with detailed guidance on physical security, system configuration and system parameter settings.
The FFIEC is issuing updates in separate booklets that will ultimately replace all chapters of the 1996 handbook and comprise the new FFIEC Information Technology (IT) Examination Handbook. Future booklets will address payment systems, outsourcing, IT management, computer operations, and systems development and acquisition. These updates will address significant changes in technology since 1996 and incorporate a risk-based examination approach.
The FFIEC agencies are distributing these booklets electronically to financial institutions and technology service providers via the Internet through the FFIEC's InfoBase application. The InfoBase includes each booklet in Adobe Acrobat PDF file format, as well as an online version with links to various resource materials and an orientation to the handbook update process.
The electronic versions of the E-Banking Booklet, the Audit Booklet, and the FedLine Booklet, along with the already issued Information Security Booklet, Business Continuity Planning Booklet and Supervision of Technology Service Providers Booklet, are available at http://www.fdic.gov/regulations/information/information/FFIEC.html.
For more information about information security and business continuity planning, please contact your FDIC Division of Supervision and Consumer Protection Regional Office.
For your reference, FDIC Financial Institution Letters may be accessed from the FDIC's Web site at http://www.fdic.gov/news/news/financial/2003/index.html.
Michael J. Zamorski
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342, option 5, or (703) 562-2200).