TO:
|
CHIEF EXECUTIVE OFFICER (also of
interest to Chief Information Officer)
|
SUBJECT:
|
New Guidance for Examiners, Financial
Institutions and Technology Service Providers on Electronic Banking, Information
Technology (IT) Audits, and
the FedLine Electronic Funds Transfer Application
|
Summary:
|
The Federal Financial Institutions
Examination Council (FFIEC) has issued three booklets with guidance on:
evaluating electronic banking activities; IT audits; and the FedLine electronic
funds transfer application. The booklets are the fourth, fifth and sixth in a
series of updates, which will eventually replace the 1996 FFIEC Information
Systems Examination Handbook and comprise the new FFIEC Information Technology (
IT) Examination Handbook.
|
On September 30, 2003, the Federal Financial Institutions Examination Council (FFIEC) issued
revised guidance for examiners, financial institutions and technology service providers on
electronic banking (e-banking), IT audits, and the FedLine electronic funds transfer
application. The guidance is contained in three booklets - the fourth, fifth and sixth in a
series of updates to the
1996 FFIEC Information Systems Examination Handbook
.
The
E-Banking Booklet
provides guidance on risks and risk-management practices
applicable to a financial institution's e-banking activities. E-banking has created new
opportunities for delivering traditional products and services to customers, as well as the
potential to offer new products and services. Along with these opportunities are new
challenges, including 24-hour, seven-days-a-week availability; Internet connectivity;
increased access to systems and customer information; greater reliance on new service
providers; and evolving regulations. These challenges can potentially increase threats to
the institution's reputation, confidentiality of information, system and data integrity,
system availability and regulatory compliance. E-banking activities require careful
planning, coordinated strategies between IT and business units, integrated subject-matter
expertise, strong controls, and ongoing monitoring and testing. The booklet includes
guidance and examination procedures to evaluate the quality of risk management related to
these threats and activities in financial institutions and technology service providers.
The
Audit Booklet
provides guidance on the risk-based IT audit practices of financial
institutions and technology service providers. This booklet builds on the agencies' existing
audit guidance and emphasizes the responsibilities of all levels of management, including
the board of directors, for establishing a sound audit program. The booklet incorporates
changes to the audit process
brought about by new legislation enacted since 1996, including the Gramm-Leach-Bliley Act of
1999 and the Sarbanes-Oxley Act of 2002.
The
FedLine Booklet
provides guidance on the appropriate control considerations for
financial institutions using the Federal Reserve's FedLine application. FedLine provides
community financial institutions with access to the Federal Reserve's Fedwire services to
receive and send payment messages. To protect their access to this payment system,
institutions must ensure its security and availability. The booklet describes policies and
procedures necessary to operate FedLine in a safe and sound manner, with detailed guidance
on physical security, system configuration and system parameter settings.
The FFIEC is issuing updates in separate booklets that will ultimately replace all chapters
of the 1996 handbook and comprise the new
FFIEC Information Technology (IT) Examination
Handbook
. Future booklets will address payment systems, outsourcing, IT management,
computer operations, and systems development and acquisition. These updates will address
significant changes in technology since 1996 and incorporate a risk-based examination
approach.
The FFIEC agencies are distributing these booklets electronically to financial institutions
and technology service providers via the Internet through the FFIEC's InfoBase application.
The InfoBase includes each booklet in Adobe Acrobat PDF file format, as well as an online
version with links to various resource materials and an orientation to the handbook update
process.
The electronic versions of the
E-Banking Booklet
, the
Audit Booklet
, and the
FedLine Booklet
, along with the already issued
Information Security Booklet
,
Business Continuity Planning Booklet
and
Supervision of Technology Service
Providers Booklet
, are available at
http://www.fdic.gov/regulations/information/information/FFIEC.html.
For more information about information security and business continuity planning, please
contact your FDIC Division of Supervision and Consumer Protection Regional Office.
For your reference, FDIC Financial Institution Letters may be accessed from the FDIC's Web
site at
http://www.fdic.gov/news/financial-institution-letters/2003/index.html
.
|
Michael J. Zamorski
|
|
Director
|
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained through the
FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434
(1-877-275-3342, option 5, or (703) 562-2200).
|