Information Technology Guidance

Operational resilience has always been important to the safety and soundness of financial firms and the stability of the financial system. The ability of a bank to recover from an operational disruption—such as a cybersecurity incident or a natural disaster—has become even more important with the growing trend toward technology-led business transformation.

Banks have made progress in enhancing operational resilience in recent years including through their response to the challenges posed by the COVID-19 pandemic. In addition, the Federal Reserve is encouraged by recognition of the shared interest between supervisors and the industry in strengthening operational resilience, and the actions firms have taken to date. However, more work remains to be done to ensure that banks are resilient to potential operational disruptions from all hazards, including severe but plausible cybersecurity incidents, which could pose risks to the wider financial system.

The Federal Reserve recognizes the global and interconnected nature of banks and the importance of supervisory coordination, and is committed to working closely with the European Central Bank and the UK Prudential Regulatory Authority to ensure that supervisory approaches on operational resilience are well coordinated.

Related Guidance

In recent years, financial institutions have experienced significant challenges from a wide range of disruptive events, including technology-based failures, cyber incidents, pandemic outbreaks, and natural disasters. While advances in technology have improved firms' ability to identify and recover from various types of disruptions, increasingly sophisticated cyber threats and growing reliance on third parties continue to expose firms to a range of operational risks. These operational risks underscore the importance for firms of all sizes to strengthen their operational resilience.

Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.

While potential hazards may not be prevented, a flexible operational resilience approach can enhance the ability of firms to prepare, adapt, withstand, and recover from disruptions and to continue operations.

Policy Letters

Information Technology Examination Process

Off-site Review of Loan Files

Guidance on Managing Outsourcing Risk

End of Microsoft Support for Windows XP Operating System

Revised Guidance on Supervision of Technology Service Providers

Interagency Supplement to Authentication in an Internet Banking Environment

Interagency Examination Procedures for the Identity Theft Red Flags and Other Regulations under the Fair Credit Reporting Act

Questions and Answers Related to Interagency Guidance on Authentication in an Internet Banking Environment

Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

Interagency Guidance on Authentication in an Internet Banking Environment

FFIEC Guidance on the use of Free and Open Source Software

Standards for Safeguarding Customer Information

Identity Theft and Pretext Calling

Guidance on the Risk Management of Outsourced Technology Services

Information Technology Examination Frequency

Supervisory Ratings for State Member Banks, Bank Holding Companies and Foreign Banking Organizations, and Related Requirements for the National Examination Data System

Uniform Rating System for Information Technology

Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations

Cybersecurity

FFIEC Information Technology Examination Handbook

FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors

Business Continuity / Disaster Recovery

Interagency Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Institutions

Small Business Administration (SBA) and Treasury Small Business Loan Programs

Identification of Essential Critical Infrastructure Workers in the Financial Services Sector During the COVID-19 Response

Supervisory Practices Regarding Financial Institutions Affected by Coronavirus

Interagency Statement on Pandemic Planning

Interagency Supervisory Examiner Guidance for Institutions Affected by a Major Disaster

Temporary Exceptions to the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) Appraisal Requirements in Areas Affected by Severe Storms and Flooding Related to Hurricanes Harvey, Irma, and Maria

Expansion of the Federal Reserve's Emergency Communications System

Supervisory Practices Regarding Banking Organizations and their Borrowers and Other Customers Affected by a Major Disaster or Emergency

Operational Resilience

Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing

Interagency Examination Procedures for Reviewing Compliance with the Unlawful Internet Gambling Enforcement Act of 2006

Amended Interagency Guidance on the Internal Audit Function and its Outsourcing

Supervisory Guidance on Required Absences from Sensitive Positions

Rules, Regulations, and Notices

Laws
U.S. Code Reference Law Description
15 U.S.C. 6801 et seq. Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act), Title V, Subtitle A Disclosure of Nonpublic Personal Information
12 U.S.C. 1861 et seq. Bank Service Company Act as amended in 2010 Regulation and examination of bank service companies
12 U.S.C. 5466 Dodd-Frank Wall Street Reform and Consumer Protection Act, Title VIII, section 807(b) Examination of and enforcement actions against designated FMUs
Regulations
Entity Code of Federal Regulation Reference Description
State member banks Regulation H, 12 CFR 208, Appendix D-1 Interagency Guidelines Establishing Standards for Safety and Soundness
Regulation H, 12 CFR 208, Appendix D-2 Interagency Guidelines Establishing Information Security Standards and
Interagency guidelines establishing standards for safeguarding consumer information
Regulation H, 12 CFR 208.61 Bank security procedures
U.S. branches and agencies of foreign banking organizations Regulation K, 12 CFR 211.24(i) Interagency Guidelines Establishing Information Security Standards
Edge Act and agreement corporations Regulation K, 12 CFR 211.5(l) Interagency Guidelines Establishing Information Security Standards
Bank holding companies Regulation Y, 12 CFR 225, Appendix F Interagency Guidelines Establishing Information Security Standards
Financial Market Utilities Regulation HH, 12 CFR 234.3 Standards for payment system
Regulation HH, 12 CFR 234.4 Changes to rules, procedures, or operations

Manual References

  • Bank Holding Company Supervision Manual
    • Section 2124.1, "Assessment of Information Technology in Risk-Focused Supervision"
  • Commercial Bank Examination Manual
    • Section 4060.1, "Information Technology"
  • FFIEC IT Handbooks
    • Audit
    • Business Continuity Planning
    • Development and Acquisition
    • E-Banking
    • Information Security
    • Management
    • Operations
    • Outsourcing Technology Services
    • Retail Payment Systems
    • Supervision of Technology Service Providers
    • Wholesale Payment Systems

Related Information

Back to Top
Last Update: May 14, 2021