Supervisory Policy and Guidance Topics
Information Technology Guidance
Effective information technology (IT) risk management is critical to the safety and soundness of financial institutions and the stability of the financial system. Effective use of IT enables sophisticated product development, better market infrastructure, implementation of reliable techniques for control of risks, and access to new markets.
While IT has expanded financial institutions' growth and profitability opportunities—for example, through digital banking—risk and threats to digital banking platforms have also increased. As more financial institutions offer digital banking products, the number of threats also increases.
Cybersecurity is essential in protecting bank assets against these potential threats. Appropriate authentication and user access controls are vital to an information security program that presents a broad and layered security strategy.
Financial institutions have improved their IT posture in recent years, including through their response to the challenges posed by the COVID-19 event. Continued vigilance is needed to ensure that financial institutions are protected against threats, which could pose risks to the broader financial system.
Policy Letters
Information Technology Examination ProcessFederal Financial Institutions Examination Council Issues Statement of Principles on Examination Information Requests
Authentication and Access to Financial Institution Services and Systems
Off-site Review of Loan Files
Revised Guidance on Supervision of Technology Service Providers
Interagency Examination Procedures for the Identity Theft Red Flags and Other Regulations under the Fair Credit Reporting Act
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice
FFIEC Guidance on the use of Free and Open Source Software
Standards for Safeguarding Customer Information
Identity Theft and Pretext Calling
Information Technology Examination Frequency
Supervisory Ratings for State Member Banks, Bank Holding Companies and Foreign Banking Organizations, and Related Requirements for the National Examination Data System
Uniform Rating System for Information Technology
Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations
Authentication and Access to Financial Institution Services and Systems
FFIEC Architecture, Infrastructure, and Operations Examination Handbook
FFIEC Information Technology Examination Handbook
FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors
Contact Information in Relation to Computer-Security Incident Notification Requirements
Interagency Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Institutions
Identification of Essential Critical Infrastructure Workers in the Financial Services Sector During the COVID-19 Response
Supervisory Practices Regarding Financial Institutions Affected by Coronavirus
Interagency Statement on Pandemic Planning
Interagency Supervisory Examiner Guidance for Institutions Affected by a Major Disaster
Expansion of the Federal Reserve's Emergency Communications System
Supervisory Practices Regarding Banking Organizations and their Borrowers and Other Customers Affected by a Major Disaster or Emergency
Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing
Interagency Examination Procedures for Reviewing Compliance with the Unlawful Internet Gambling Enforcement Act of 2006
Amended Interagency Guidance on the Internal Audit Function and its Outsourcing
Supervisory Guidance on Required Absences from Sensitive Positions
Rules, Regulations, and Notices
Laws
| U.S. Code Reference | Law | Description |
|---|---|---|
| 15 U.S.C. 6801 et seq. | Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act), Title V, Subtitle A | Disclosure of Nonpublic Personal Information |
| 12 U.S.C. 1861 et seq. | Bank Service Company Act as amended in 2010 | Regulation and examination of bank service companies |
| 12 U.S.C. 5466 | Dodd-Frank Wall Street Reform and Consumer Protection Act, Title VIII, section 807(b) | Examination of and enforcement actions against designated FMUs |
Regulations
| Entity | Code of Federal Regulation Reference | Description |
|---|---|---|
| State member banks | Regulation H, 12 CFR 208, Appendix D-1 | Interagency Guidelines Establishing Standards for Safety and Soundness |
| Regulation H, 12 CFR 208, Appendix D-2 | Interagency Guidelines Establishing Information Security Standards and Interagency guidelines establishing standards for safeguarding consumer information |
|
| Regulation H, 12 CFR 208.61 | Bank security procedures | |
| U.S. branches and agencies of foreign banking organizations | Regulation K, 12 CFR 211.24(i) | Interagency Guidelines Establishing Information Security Standards |
| Edge Act and agreement corporations | Regulation K, 12 CFR 211.5(l) | Interagency Guidelines Establishing Information Security Standards |
| Bank holding companies | Regulation Y, 12 CFR 225, Appendix F | Interagency Guidelines Establishing Information Security Standards |
| Financial Market Utilities | Regulation HH, 12 CFR 234.3 | Standards for payment system |
| Regulation HH, 12 CFR 234.4 | Changes to rules, procedures, or operations |
Manual References
- Bank Holding Company Supervision Manual
- Section 2124.1, "Assessment of Information Technology in Risk-Focused Supervision"
- Commercial Bank Examination Manual
- Section 5300.1, "Information Technology"
- FFIEC IT Handbooks
- Audit
- Business Continuity Planning
- Development and Acquisition
- E-Banking
- Information Security
- Management
- Operations
- Outsourcing Technology Services
- Retail Payment Systems
- Supervision of Technology Service Providers
- Wholesale Payment Systems
Related Information
- Board of Governors of the Federal Reserve System
- FDIC Financial Institution Letters (FILs)
- OCC Electronic Banking Guidance
- FFIEC Cybersecurity Awareness
- National Institute of Standards and Technology (NIST)
- Bank for International Settlements – Principles for Financial Market Infrastructures (CPMI-IOSCO PFMI)
- New York Department of Financial Services – Cybersecurity Regulation (23 NYCRR Part 500)