Agencies

Anti-Money Laundering

Business Continuity & Disaster Recovery

Compliance

Emerging Technology

Governance and Standards

Identity Theft

Leadership Management

Physical Security

Risk Management

Training & Education

Webinar Calendar

Vendor Directory

Content Library

Products

Events

About Us

Resources

FFIEC Information Technology Examination Handbook

GuidanceFederal Financial Institutions Examination Council (FFIEC)
Office of the Comptroller of the Currency (OCC)Risk Management

The Federal Financial Institutions Examination Council (FFIEC) has issued updated guidance in three booklets on electronic banking (e-banking), information technology (IT) audit, and the FedLine electronic funds transfer application. These booklets are the most recent in a series that will completely update and replace the 1996 FFIEC Information Systems (IS) Examination Handbook. The work programs contained in the booklets represent expanded procedures that examiners can use if appropriate for the risk and complexity of the bank’s operations.

The Audit Booklet rescinds chapter 8, and the FedLine Booklet rescinds chapter 19 of the 1996 FFIEC IS Examination Handbook. The E-Banking Booklet replaces the OCC Internet Banking Handbook and OCC Bulletin 98-38, “Technology Risk Management: PC Banking.”

E-Banking Booklet

This booklet reflects the OCC’s views on the risks specific to e-banking and provides bankers and examiners with guidance on those risks and the risk management issues associated with the delivery of e-banking products and services.

Banks face unique risks based on the choices they make when implementing and enhancing their e-banking services. Decisions on network Internet connectivity, outsourcing various system components, and the specific products and services affect the level of risk and the complexity of risk management. Senior management and boards of directors must understand these risks before investing in and expanding their e-banking activities. They need to integrate the e-banking-related controls into their existing strategic plan, information security program, vendor management process, and business continuity plans. Banks must have appropriate controls, testing, and expertise for all internally managed e-banking system components. In addition, banks with outsourced e-banking processes should carefully select and monitor service providers to ensure that appropriate controls exist. The bank can outsource the process or service, but remains responsible for the adequacy of the controls to ensure confidentiality, integrity, and availability.

> Read entire regulation (log in required - registration is free)