skip to main navigation skip to secondary navigation skip to content
Board of Governors of the Federal Reserve System
skip to content
Board of Governors of the Federal Reserve System

Supervisory Policy and Guidance Topics

Information Technology Examination Guidance

The use of information technology (IT) can have important implications for a banking organizationís financial condition, risk profile, and operating performance and should be incorporated into the safety-and-soundness assessment of each organization. The framework for the Federal Reserveís supervisory strategy with regard to IT is provided in SR 98-9, "Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations."

Much of the guidance on this page assists examiners in completing the Uniform Rating System for Information Technology (URSIT) ratings. The URSIT is an interagency examination rating system adopted by the Federal Financial Institutions Examination Council (FFIEC) agencies to evaluate the IT activities of financial institutions. The URSIT rating framework is based on a risk evaluation of four general areas: audit, management, development and acquisition, and support and delivery. These components are used to assess the overall IT functions within an organization and arrive at a composite URSIT rating.

Sections on this page:  

Policy Letters

Information Technology Examination Guidance

SR 16-14
FFIEC Information Technology Examination Handbook – Information Security Booklet
SR 15-9
FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors
SR 13-16
End of Microsoft Support for Windows XP Operating System
SR 12-14
Revised Guidance on Supervision of Technology Service Providers
SR 11-9
Interagency Supplement to Authentication in an Internet Banking Environment
SR 05-22
Revised Training Program for Information Technology Examiners
SR 00-3 (SUP)
Information Technology Examination Frequency
SR 99-17 (SUP)
Supervisory Ratings for State Member Banks, Bank Holding Companies and Foreign Banking Organizations, and Related Requirements for the National Examination Data System
SR 99-8 (SUP)
Uniform Rating System for Information Technology

Additional Resources


Manual References

Last update: September 19, 2016