Information Technology Guidance

Effective information technology (IT) risk management is critical to the safety and soundness of financial institutions and the stability of the financial system. Effective use of IT enables sophisticated product development, better market infrastructure, implementation of reliable techniques for control of risks, and access to new markets.

While IT has expanded financial institutions' growth and profitability opportunities—for example, through digital banking—risk and threats to digital banking platforms have also increased. As more financial institutions offer digital banking products, the number of threats also increases.

Cybersecurity is essential in protecting bank assets against these potential threats. Appropriate authentication and user access controls are vital to an information security program that presents a broad and layered security strategy.

Financial institutions have improved their IT posture in recent years, including through their response to the challenges posed by the COVID-19 event. Continued vigilance is needed to ensure that financial institutions are protected against threats, which could pose risks to the broader financial system.

Policy Letters

Information Technology Examination Process

Federal Financial Institutions Examination Council Issues Statement of Principles on Examination Information Requests

Authentication and Access to Financial Institution Services and Systems

Off-site Review of Loan Files

Guidance on Managing Outsourcing Risk

End of Microsoft Support for Windows XP Operating System

Revised Guidance on Supervision of Technology Service Providers

Interagency Examination Procedures for the Identity Theft Red Flags and Other Regulations under the Fair Credit Reporting Act

Questions and Answers Related to Interagency Guidance on Authentication in an Internet Banking Environment

Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

FFIEC Guidance on the use of Free and Open Source Software

Standards for Safeguarding Customer Information

Identity Theft and Pretext Calling

Guidance on the Risk Management of Outsourced Technology Services

Information Technology Examination Frequency

Supervisory Ratings for State Member Banks, Bank Holding Companies and Foreign Banking Organizations, and Related Requirements for the National Examination Data System

Uniform Rating System for Information Technology

Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations

Cybersecurity

Authentication and Access to Financial Institution Services and Systems

FFIEC Architecture, Infrastructure, and Operations Examination Handbook

FFIEC Information Technology Examination Handbook

FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors

Business Continuity / Disaster Recovery

Contact Information in Relation to Computer-Security Incident Notification Requirements

Interagency Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Institutions

Identification of Essential Critical Infrastructure Workers in the Financial Services Sector During the COVID-19 Response

Supervisory Practices Regarding Financial Institutions Affected by Coronavirus

Interagency Statement on Pandemic Planning

Interagency Supervisory Examiner Guidance for Institutions Affected by a Major Disaster

Temporary Exceptions to the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) Appraisal Requirements in Areas Affected by Severe Storms and Flooding Related to Hurricanes Harvey, Irma, and Maria

Expansion of the Federal Reserve's Emergency Communications System

Supervisory Practices Regarding Banking Organizations and their Borrowers and Other Customers Affected by a Major Disaster or Emergency

Operational Resilience

Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing

Interagency Examination Procedures for Reviewing Compliance with the Unlawful Internet Gambling Enforcement Act of 2006

Amended Interagency Guidance on the Internal Audit Function and its Outsourcing

Supervisory Guidance on Required Absences from Sensitive Positions

Rules, Regulations, and Notices

Laws
U.S. Code Reference Law Description
15 U.S.C. 6801 et seq. Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act), Title V, Subtitle A Disclosure of Nonpublic Personal Information
12 U.S.C. 1861 et seq. Bank Service Company Act as amended in 2010 Regulation and examination of bank service companies
12 U.S.C. 5466 Dodd-Frank Wall Street Reform and Consumer Protection Act, Title VIII, section 807(b) Examination of and enforcement actions against designated FMUs
Regulations
Entity Code of Federal Regulation Reference Description
State member banks Regulation H, 12 CFR 208, Appendix D-1 Interagency Guidelines Establishing Standards for Safety and Soundness
Regulation H, 12 CFR 208, Appendix D-2 Interagency Guidelines Establishing Information Security Standards and
Interagency guidelines establishing standards for safeguarding consumer information
Regulation H, 12 CFR 208.61 Bank security procedures
U.S. branches and agencies of foreign banking organizations Regulation K, 12 CFR 211.24(i) Interagency Guidelines Establishing Information Security Standards
Edge Act and agreement corporations Regulation K, 12 CFR 211.5(l) Interagency Guidelines Establishing Information Security Standards
Bank holding companies Regulation Y, 12 CFR 225, Appendix F Interagency Guidelines Establishing Information Security Standards
Financial Market Utilities Regulation HH, 12 CFR 234.3 Standards for payment system
Regulation HH, 12 CFR 234.4 Changes to rules, procedures, or operations

Manual References

  • Bank Holding Company Supervision Manual
    • Section 2124.1, "Assessment of Information Technology in Risk-Focused Supervision"
  • Commercial Bank Examination Manual
    • Section 4060.1, "Information Technology"
  • FFIEC IT Handbooks
    • Audit
    • Business Continuity Planning
    • Development and Acquisition
    • E-Banking
    • Information Security
    • Management
    • Operations
    • Outsourcing Technology Services
    • Retail Payment Systems
    • Supervision of Technology Service Providers
    • Wholesale Payment Systems

Related Information

Back to Top
Last Update: February 04, 2022