INFORMATION TECHNOLOGY EXAMINATION PROCEDURES
Over the last several years, many financial institutions have moved away from traditional mainframe-oriented computer processing environments and increased their reliance on newer technologies, such as networks, the Internet and enterprise-wide processing. As a result, the Federal Deposit Insurance Corporation (FDIC) is launching a new program for assessing information technology (IT) risk at FDIC-supervised financial institutions. The program incorporates a new philosophy for categorizing institutions' use of technology and their consequential exposure to technology risk, along with updated and more risk-focused IT examination procedures. The FDIC will discontinue using terms such as "serviced," "turnkey" and "remote job entry" to describe an institution's level of technology risk for examination planning purposes. These terms no longer accurately reflect the true technology profile of an institution. Going forward, an institution's technology risk profile will be determined based on a review of core processing systems, internal networks, electronic banking products, connectivity to external networks, the location of sensitive information, and other technology components. This measurement of technology complexity will allow examiners to focus examination efforts on areas of high risk, while reducing resources at targeted, lower risk institutions. The FDIC has developed two new work programs, which are attached: IT-MERIT ( M aximum E fficiency, R isk-Focused, I nstitution T argeted) Procedures; and an IT General Work Program.
Examiners will continue to use existing Federal Financial Institutions Examination Council (FFIEC) Work Programs for all financial institutions with greater technology risk. Because nearly all financial institutions are exposed to some level of technology risk in today's business environment, a technology assessment rating will be assigned at all technology risk reviews. Currently, a technology assessment rating is not assigned to institutions described as "serviced." Institutions will receive a technology assessment rating in accordance with the following guidelines:
For further information about the FDIC's new IT examination procedures, please contact your FDIC Division of Supervision and Consumer Protection Regional Office. Please share this information with your Chief Information Officer.
Attachments:
Distribution: FDIC-Supervised Banks (Commercial and Savings) NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (800-276-6003 or (703) 562-2200). |