Information Technology Examination Guidance

The use of information technology (IT) can have important implications for a banking organization’s financial condition, risk profile, and operating performance and should be incorporated into the safety-and-soundness assessment of each organization. The framework for the Federal Reserve’s supervisory strategy with regard to IT is provided in SR 98-9, "Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations."

Much of the guidance on this page assists examiners in completing the Uniform Rating System for Information Technology (URSIT) ratings. The URSIT is an interagency examination rating system adopted by the Federal Financial Institutions Examination Council (FFIEC) agencies to evaluate the IT activities of financial institutions. The URSIT rating framework is based on a risk evaluation of four general areas: audit, management, development and acquisition, and support and delivery. These components are used to assess the overall IT functions within an organization and arrive at a composite URSIT rating.

Policy Letters

Information Technology Examination Guidance

FFIEC Information Technology Examination Handbook – Information Security Booklet

FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors

End of Microsoft Support for Windows XP Operating System

Revised Guidance on Supervision of Technology Service Providers

Interagency Supplement to Authentication in an Internet Banking Environment

Revised Training Program for Information Technology Examiners

Information Technology Examination Frequency

Supervisory Ratings for State Member Banks, Bank Holding Companies and Foreign Banking Organizations, and Related Requirements for the National Examination Data System

Uniform Rating System for Information Technology

Additional Resources

Manual References

Back to Top
Last Update: May 19, 2017