skip to main navigation skip to secondary navigation skip to content
Board of Governors of the Federal Reserve System
skip to content
Board of Governors of the Federal Reserve System

Supervision and Regulation Letters

SR 15-3

FFIEC Information Technology Examination Handbook

February 6, 2015

Seal of the Board of Governors of the Federal Reserve System
BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C.  20551
DIVISION OF BANKING
SUPERVISION AND REGULATION
SR 15-3
February 6, 2015
TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK
SUBJECT:   FFIEC Information Technology Examination Handbook
Applicability to Community Banking Organizations:  This guidance applies to financial institutions supervised by the Federal Reserve, including those with $10 billion or less in total consolidated assets.

The Federal Financial Institutions Examination Council (FFIEC) has issued updated guidance for examiners, financial institutions,1 and technology service providers (TSPs) to explain the components of an effective third-party management program that can identify, measure, monitor, and control the risks associated with outsourcing.  The guidance, which is included in the FFIEC Information Technology Examination Handbook, is an update to the "Business Continuity Planning Booklet," issued in March 2008.2

The addition of Appendix J, "Strengthening the Resilience of Outsourced Technology Services," to the Business Continuity Planning (BCP) Booklet highlights the importance of BCP at TSPs that perform or support critical operations for financial institutions.3  This appendix discusses four elements of BCP that financial institutions should address to promote the resilience of outsourced technology services.

  1. Third-party management addresses a financial institution's responsibility to control the business continuity risks associated with its TSPs and their subcontractors.
  2. Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer's ability to restore services to multiple clients.
  3. Testing with TSPs addresses the importance of validating business continuity plans with TSPs and provides considerations for a robust third-party testing program.
  4. Cyber resilience addresses aspects of BCP unique to disruptions caused by cyber events.

Electronic versions of the Business Continuity Planning Booklet, as well as the other FFIEC Information Technology Examination Handbook booklets, are available at http://ithandbook.ffiec.gov/it-booklets.aspx.

Reserve Banks are asked to distribute this SR letter to the Federal Reserve–supervised banking organizations in their Districts, as well as to their supervisory and examination staff.  Questions regarding the revised guidance should be addressed to:  Thomas Anderson, Senior Supervisory Financial Analyst, at (202) 973-5068, or Christopher Olson, Supervisory Financial Analyst, at (202) 912-4609.  In addition, questions may be sent via the Board's public website.4

signed by
Michael S. Gibson
Director
Division of Banking
Supervision and Regulation


Supersedes:
  • SR letter 10-3, "FFIEC Retail Payment Systems Booklet"
  • SR letter 08-3, "FFIEC Business Continuity Planning Booklet"
  • SR letter 06-12, "FFIEC Information Security Booklet"
  • SR letter 04-20, "FFIEC Information Technology Examination Handbook"
Cross References:
  • SR letter 13-19 / CA letter 13-21, "Guidance on Managing Outsourcing Risk"
 
Notes:
  1. For purposes of this guidance, "financial institutions" refers to state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations.  Return to text
  2. With the issuance of this letter, SR letter 08-3, "FFIEC Business Continuity Planning Booklet," which announced the March 2008 update to the Business Continuity Planning Booklet, is superseded.  To consolidate letters that reference FFIEC IT-related booklets, this letter also supersedes the following letters:  SR letter 10-3, "FFIEC Retail Payment Systems Booklet;" SR letter 06-12, "FFIEC Information Security Booklet;" and SR letter 04-20, "FFIEC Information Technology Examination Handbook," which announce the issuance of or revision to those booklets.  The information in those booklets is still relevant, and examiners can find the latest versions of those booklets on the FFIEC IT Examination Handbook InfoBase at: http://ithandbook.ffiec.gov/it-booklets.aspx.  Return to text
  3. For additional guidance related to managing outsourcing risk, see SR letter 13-19 / CA letter 13-21, "Guidance on Managing Outsourcing Risk."  Return to text
  4. http://www.federalreserve.gov/apps/contactus/feedback.aspx.  Return to text
Last update: February 6, 2015