Circular
FFIEC Issues Guidance on Information Technology Management and Outsourcing Technology Services
July 20, 2004
Circular No. 11624

To All Depository Institutions and Others Concerned in the Second Federal Reserve District:

The Federal Financial Institutions Examination Council (FFIEC) has issued revised guidance for examiners, financial institutions, and technology services providers on two topics: managing financial institutions’ information technology (IT) activities and outsourcing technology services.

The Management Booklet provides guidance on the risks and risk-management practices applicable to financial institutions’ information technology activities. Sound IT management is critical to the performance and success of a financial institution. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall strategic planning and corporate governance efforts.

The Outsourcing Technology Services Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' outsourcing IT activities, including service provider selection, contract issues, and ongoing monitoring of the relationship. The booklet also includes guidance on the risks and risk-management issues unique to foreign service providers. Outsourcing of an activity does not relieve management and the board of directors of their responsibility to ensure the institution’s data is processed in a secure environment and the integrity of the data is maintained. Thus, ongoing monitoring of the relationship is crucial to ensure key terms of service level agreements are followed, confidentiality of information is safeguarded, and the service provider maintains operational stability.

These booklets represent the latest in a series of updates to the 1996 FFIEC Information Systems Examination Handbook (Handbook). The FFIEC has updated the Handbook to address significant changes in technology since 1996 and to incorporate a risk-based examination approach. The updates are being issued in separate booklets that eventually will replace all chapters of the Handbook and comprise the new FFIEC Information Technology Examination Handbook. Future booklets will cover Operations and Wholesale Payment Systems. With the release of the Outsourcing Technology Services Booklet, the FFIEC guidance Risk Management of Outsourced Technology Services, dated November 28, 2000, is rescinded.

The booklets are being distributed electronically and are available at the FFIEC website.

FFIEC press release OFFSITE
FFIEC Information Systems Examination Handbook OFFSITE

Contact:
Lisa Joniaux
Team Leader, Information Technology
Operations Risk Department
lisa.joniaux@ny.frb.org

By continuing to use our site, you agree to our Terms of Use and Privacy Statement. You can learn more about how we use cookies by reviewing our Privacy Statement.   Close