Financial Institution Letters FFIEC Information Technology Examination Handbook
July 29, 2004
CHIEF EXECUTIVE OFFICER (also of interest to Chief Information Officer)
New Guidance for Examiners, Financial Institutions and Technology
Service Providers on Management and Outsourcing Technology Services
The Federal Financial Institutions Examination Council (FFIEC) has issued booklets with guidance on evaluating management and outsourcing technology services. The booklets are the ninth and tenth in a series of updates, which will eventually replace the 1996 FFIEC Information Systems Examination Handbook and comprise the new FFIEC Information Technology (IT) Examination Handbook.
On July 15, 2004, the Federal Financial Institutions Examination Council (FFIEC) issued revised guidance for examiners, financial institutions and technology service providers on two topics: managing financial institutions’ information technology (IT) activities and outsourcing technology services. The Management Booklet and the Outsourcing Technology Services Booklet are the ninth and tenth in a series of updates to the 1996 FFIEC Information Systems Examination Handbook.
The Management Booklet provides guidance on the risks and risk-management practices applicable to financial institutions’ information technology activities. Sound IT management is critical to the performance and success of a financial institution. An institution capable of aligning its IT activities to support its business strategies adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall strategic planning and corporate governance efforts.
The Outsourcing Technology Services Booklet provides guidance on the risks and risk-management practices applicable to financial institutions’ outsourcing IT activities, including service provider selection, contract issues, and ongoing monitoring of the relationship. The booklet also includes guidance on the risks and risk-management issues unique to foreign service providers. Outsourcing of an activity does not relieve management and the board of directors of their responsibility to ensure the institution’s data are processed in a secure environment and to maintain data integrity. Thus, ongoing monitoring of the outsourcing relationship is crucial to ensure key terms of service level agreements are followed, confidentiality of information is safeguarded, and operational stability is maintained. With the release of the Outsourcing Technology Services Booklet, the FFIEC guidance “Risk Management of Outsourced Technology Services,” dated November 28, 2000, is rescinded.
The FFIEC is issuing updates in separate booklets that will ultimately replace all chapters of the 1996 Handbook and comprise the new FFIEC Information Technology (IT) Examination Handbook. Future booklets will address wholesale payment systems and computer operations. These updates will address significant changes in technology since 1996 and incorporate a risk-based examination approach.
The FFIEC agencies are distributing these booklets electronically to financial institutions and technology service providers via the Internet through the FFIEC's InfoBase application. The InfoBase includes each booklet in Adobe Acrobat PDF file format, as well as an online version with links to various resource materials and an orientation to the handbook update process.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC’s Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).