Information Technology Guidance

This page primarily contains guidance on information technology (IT) examination activities including aspects of operational risk management, which arises from the potential that inadequate information systems, operational problems, breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses. The use of IT can have important implications for a financial institution's financial condition, risk profile, and operating performance and are typically incorporated into the safety-and-soundness and/or IT ratings assessment of each institution. This page provides guidance on the following areas related to IT:

  • Information Technology Examination Process, which are letters and guidance that assist examination staff in assessing an institution's risk management processes to identify, measure, monitor, and control IT-related risks.
  • Cybersecurity, which is the process by which an organization protects and secures its systems, media, and facilities that process and maintain information vital to its operations.
  • Business Continuity/Disaster Recovery, which include measures to promote the continuous operation of financial markets and to ensure the continuity of operations in the event of a potential crisis.
  • Operational Resilience, which is ability to adapt to changing conditions and withstand and rapidly recover from disruption due to emergencies. It can be resilience towards acts of terrorism, cyber attacks, pandemics, and catastrophic natural disasters.

Policy Letters

Information Technology Examination Process

Off-site Review of Loan Files

Guidance on Managing Outsourcing Risk

End of Microsoft Support for Windows XP Operating System

Revised Guidance on Supervision of Technology Service Providers

Interagency Supplement to Authentication in an Internet Banking Environment

Interagency Examination Procedures for the Identity Theft Red Flags and Other Regulations under the Fair Credit Reporting Act

Revised Policy Governing Access to Confidential Supervisory Information

Questions and Answers Related to Interagency Guidance on Authentication in an Internet Banking Environment

Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

Interagency Guidance on Authentication in an Internet Banking Environment

FFIEC Guidance on the use of Free and Open Source Software

Standards for Safeguarding Customer Information

Identity Theft and Pretext Calling

Guidance on the Risk Management of Outsourced Technology Services

Information Technology Examination Frequency

Supervisory Ratings for State Member Banks, Bank Holding Companies and Foreign Banking Organizations, and Related Requirements for the National Examination Data System

Uniform Rating System for Information Technology

Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations


FFIEC Information Technology Examination Handbook

FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors

Business Continuity / Disaster Recovery

Interagency Supervisory Examiner Guidance for Institutions Affected by a Major Disaster

Temporary Exceptions to the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) Appraisal Requirements in Areas Affected by Severe Storms and Flooding Related to Hurricanes Harvey, Irma, and Maria

Expansion of the Federal Reserve's Emergency Communications System

Supervisory Practices Regarding Banking Organizations and their Borrowers and Other Customers Affected by a Major Disaster or Emergency

FFIEC Guidance on Pandemic Planning

Influenza Pandemic Preparedness

Operational Resilience

Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing

Interagency Examination Procedures for Reviewing Compliance with the Unlawful Internet Gambling Enforcement Act of 2006

Amended Interagency Guidance on the Internal Audit Function and its Outsourcing

Supervisory Guidance on Required Absences from Sensitive Positions

Rules, Regulations, and Notices

U.S. Code Reference Law Description
15 U.S.C. 6801 et seq. Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act), Title V, Subtitle A Disclosure of Nonpublic Personal Information
12 U.S.C. 1861 et seq. Bank Service Company Act as amended in 2010 Regulation and examination of bank service companies
12 U.S.C. 5466 Dodd-Frank Wall Street Reform and Consumer Protection Act, Title VIII, section 807(b) Examination of and enforcement actions against designated FMUs
Entity Code of Federal Regulation Reference Description
State member banks Regulation H, 12 CFR 208, Appendix D-1 Interagency Guidelines Establishing Standards for Safety and Soundness
Regulation H, 12 CFR 208, Appendix D-2 Interagency Guidelines Establishing Information Security Standards and
Interagency guidelines establishing standards for safeguarding consumer information
Regulation H, 12 CFR 208.61 Bank security procedures
U.S. branches and agencies of foreign banking organizations Regulation K, 12 CFR 211.24(i) Interagency Guidelines Establishing Information Security Standards
Edge Act and agreement corporations Regulation K, 12 CFR 211.5(l) Interagency Guidelines Establishing Information Security Standards
Bank holding companies Regulation Y, 12 CFR 225, Appendix F Interagency Guidelines Establishing Information Security Standards
Financial Market Utilities Regulation HH, 12 CFR 234.3 Standards for payment system
Regulation HH, 12 CFR 234.4 Changes to rules, procedures, or operations

Manual References

  • Bank Holding Company Supervision Manual
    • Section 2124.1, "Assessment of Information Technology in Risk-Focused Supervision"
  • Commercial Bank Examination Manual
    • Section 4060.1, "Information Technology"
  • FFIEC IT Handbooks
    • Audit
    • Business Continuity Planning
    • Development and Acquisition
    • E-Banking
    • Information Security
    • Management
    • Operations
    • Outsourcing Technology Services
    • Retail Payment Systems
    • Supervision of Technology Service Providers
    • Wholesale Payment Systems

Related Information

Back to Top
Last Update: November 20, 2019