Supervision and Regulation Letters
FFIEC Information Technology Examination Handbook
SUPERVISION AND REGULATION
|SUBJECT:||FFIEC Information Technology Examination Handbook|
The Federal Financial Institutions Examination Council (FFIEC) has issued updated guidance for examiners, financial institutions,1 and technology service providers (TSPs) to explain the components of an effective third-party management program that can identify, measure, monitor, and control the risks associated with outsourcing. The guidance, which is included in the FFIEC Information Technology Examination Handbook, is an update to the "Business Continuity Planning Booklet," issued in March 2008.2
The addition of Appendix J, "Strengthening the Resilience of Outsourced Technology Services," to the Business Continuity Planning (BCP) Booklet highlights the importance of BCP at TSPs that perform or support critical operations for financial institutions.3 This appendix discusses four elements of BCP that financial institutions should address to promote the resilience of outsourced technology services.
- Third-party management addresses a financial institution's responsibility to control the business continuity risks associated with its TSPs and their subcontractors.
- Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer's ability to restore services to multiple clients.
- Testing with TSPs addresses the importance of validating business continuity plans with TSPs and provides considerations for a robust third-party testing program.
- Cyber resilience addresses aspects of BCP unique to disruptions caused by cyber events.
Electronic versions of the Business Continuity Planning Booklet, as well as the other FFIEC Information Technology Examination Handbook booklets, are available at http://ithandbook.ffiec.gov/it-booklets.aspx.
Reserve Banks are asked to distribute this SR letter to the Federal Reserve–supervised banking organizations in their Districts, as well as to their supervisory and examination staff. Questions regarding the revised guidance should be addressed to: Thomas Anderson, Senior Supervisory Financial Analyst, at (202) 973-5068, or Christopher Olson, Supervisory Financial Analyst, at (202) 912-4609. In addition, questions may be sent via the Board's public website.4
Michael S. Gibson
Division of Banking
Supervision and Regulation
- For purposes of this guidance, "financial institutions" refers to state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations. Return to text
- With the issuance of this letter, SR letter 08-3, "FFIEC Business Continuity Planning Booklet," which announced the March 2008 update to the Business Continuity Planning Booklet, is superseded. To consolidate letters that reference FFIEC IT-related booklets, this letter also supersedes the following letters: SR letter 10-3, "FFIEC Retail Payment Systems Booklet;" SR letter 06-12, "FFIEC Information Security Booklet;" and SR letter 04-20, "FFIEC Information Technology Examination Handbook," which announce the issuance of or revision to those booklets. The information in those booklets is still relevant, and examiners can find the latest versions of those booklets on the FFIEC IT Examination Handbook InfoBase at: http://ithandbook.ffiec.gov/it-booklets.aspx. Return to text
- For additional guidance related to managing outsourcing risk, see SR letter 13-19 / CA letter 13-21, "Guidance on Managing Outsourcing Risk." Return to text
- http://www.federalreserve.gov/apps/contactus/feedback.aspx. Return to text