FDIC Header
Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Financial Institution Letters

June 30, 2016

Information Technology Risk Examination (InTREx) Program

Printable Format:

FIL-43-2016 - PDF (PDF Help)


The FDIC updated its information technology and operations risk (IT) examination procedures to provide a more efficient, risk-focused approach. This enhanced program also provides a cybersecurity preparedness assessment and discloses more detailed examination results using component ratings.

Statement of Applicability to Institutions with Total Assets Under $1 Billion: This Financial Institution Letter applies to all FDIC-supervised institutions.


Continuation of FIL-43-2016


Suggested Routing:

Related Topics:




FDIC financial institution letters (FILs) may be accessed from the FDIC's Web site at https://www.fdic.gov/news/news/financial/2016/.

To receive FILs electronically, please visit https://www.fdic.gov/about/subscriptions/fil.html.

Paper copies may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (877-275-3342 or 703-562-2200).

Financial Institution Letters
June 30, 2016

Information Technology Risk Examination (InTREx) Program

Enhanced Information Technology and Operations Risk Examination Procedures

On July 1, 2016, the Federal Deposit Insurance Corporation (FDIC) implemented the Information Technology Risk Examination (InTREx) Program for conducting information technology and operations risk (IT) examinations of FDIC-supervised financial institutions. The InTREx Program is designed to enhance identification, assessment, and validation of IT in financial institutions and ensure that identified risks are effectively addressed by FI management. FIL-81-2005, Information Technology Risk Management Program (IT-RMP), has been rescinded.

InTREx uses a work program based on the Uniform Rating System for Information Technology1 (URSIT) and includes Core Modules for the Audit, Management, Development and Acquisition, and Support and Delivery component ratings. The Core Modules incorporate procedures to assess compliance with Appendix B to Part 364 of the FDIC Rules and Regulations entitled Interagency Guidelines Establishing Information Security Standards2,3 as well as procedures to assess cybersecurity preparedness. The results of these assessments will be embedded in the Risk Management Report of Examination.

Other features of the InTREx program are:

For further information about the FDIC's revised IT examination procedures, please contact your FDIC Regional Office.

Doreen Eberley
Division of Risk Management Supervision

1 See FIL-12-1999 FFIEC Uniform Rating System for Information Technology (URSIT) - https://www.fdic.gov/news/news/financial/1999/fil9912.html

2 See Part 364 Appendix B - FDIC Rules and Regulations - https://www.fdic.gov/regulations/laws/rules/2000-8660.html#fdic2000appendixbtopart364

3 See FIL-22-2001 Security Standards For Customer Information - https://www.fdic.gov/news/news/financial/2001/fil0122.html

Skip Footer back to content