Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > News & Events > Financial Institution Letters

Financial Institution Letters

Risk Management of Free and Open Source Software
FFIEC Guidance
October 21, 2004

Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance to help institutions identify and implement appropriate risk-management practices when using "free and open source software" (FOSS).

  • FOSS refers to software that users are allowed to run, study, modify and redistribute without paying a licensing fee. Well-known examples are the Linux operating system, Apache Web server and mySQL database.
  • The use of FOSS is increasing in the mainstream information technology and financial services communities.
  • The federal regulatory agencies believe that using FOSS does not impose risks to institutions that are fundamentally different from risks presented by proprietary or self-developed software. However, acquiring and using FOSS necessitates that institutions implement unique risk-management practices.
  • This guidance supplements the FFIEC IT Examination Handbook's Development and Acquisition Booklet by addressing strategic, operational and legal risk considerations in acquiring and using FOSS.

FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:
Chief Executive Officer
Chief Technology Officer
Chief Information Officer

Related Topics:
FFIEC IT Examination Handbook, Development and Acquisition Booklet

FFIEC Guidance: "Risk Management of Free and Open Source Software"

Jeffrey M. Kopchik, Senior Policy Analyst, jkopchik@fdic.gov or 202-898-3872.

Printable Format:
FIL-114-2004 – PDF (PDF Help)

For your reference, FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/news/financial/2004/index.html.

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html.

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).

Last Updated 10/21/2004 communications@fdic.gov

Skip Footer back to content