Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.
Financial Institution Letter

FFIEC Information Technology Examination Handbook





TO: CHIEF EXECUTIVE OFFICER (also of interest to Chief Information Officer)
SUBJECT: New Guidance for Examiners, Financial Institutions and Technology Service Providers on Management and Outsourcing Technology Services
Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued booklets with guidance on evaluating management and outsourcing technology services. The booklets are the ninth and tenth in a series of updates, which will eventually replace the 1996 FFIEC Information Systems Examination Handbook and comprise the new FFIEC Information Technology (IT) Examination Handbook.

On July 15, 2004, the Federal Financial Institutions Examination Council (FFIEC) issued revised guidance for examiners, financial institutions and technology service providers on two topics: managing financial institutions’ information technology (IT) activities and outsourcing technology services. The Management Booklet and the Outsourcing Technology Services Booklet are the ninth and tenth in a series of updates to the 1996 FFIEC Information Systems Examination Handbook .

The Management Booklet provides guidance on the risks and risk-management practices applicable to financial institutions’ information technology activities. Sound IT management is critical to the performance and success of a financial institution. An institution capable of aligning its IT activities to support its business strategies adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall strategic planning and corporate governance efforts.

The Outsourcing Technology Services Booklet provides guidance on the risks and risk-management practices applicable to financial institutions’ outsourcing IT activities, including service provider selection, contract issues, and ongoing monitoring of the relationship. The booklet also includes guidance on the risks and risk-management issues unique to foreign service providers. Outsourcing of an activity does not relieve management and the board of directors of their responsibility to ensure the institution’s data are processed in a secure environment and to maintain data integrity. Thus, ongoing monitoring of the outsourcing relationship is crucial to ensure key terms of service level agreements are followed, confidentiality of information is safeguarded, and operational stability is maintained. With the release of the Outsourcing Technology Services Booklet , the FFIEC guidance “Risk Management of Outsourced Technology Services,” dated November 28, 2000, is rescinded.

The FFIEC is issuing updates in separate booklets that will ultimately replace all chapters of the 1996 Handbook and comprise the new FFIEC Information Technology (IT) Examination Handbook . Future booklets will address wholesale payment systems and computer operations. These updates will address significant changes in technology since 1996 and incorporate a risk-based examination approach.

The FFIEC agencies are distributing these booklets electronically to financial institutions and technology service providers via the Internet through the FFIEC's InfoBase application. The InfoBase includes each booklet in Adobe Acrobat PDF file format, as well as an online version with links to various resource materials and an orientation to the handbook update process.

The electronic versions of the Management Booklet and the Outsourcing Technology Services Booklet are available at http://www.fdic.gov/regulations/information/information/FFIEC.html . For more information, please contact your FDIC Division of Supervision and Consumer Protection Regional Office.

For your reference, FDIC Financial Institution Letters may be accessed from the FDIC's Web site at http://www.fdic.gov/news/financial-institution-letters/2004/index.html .

Michael J. Zamorski

Director

Division of Supervision and Consumer Protection

# # #

Distribution: FDIC-Supervised Banks (Commercial and Savings)

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC’s Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).



FIL-89-2004

Last Updated: July 29, 2004