FDIC Issues New Pre-Exam IT QuestionnaireNew Questions Focus on Vendor Management, Payment Systems
The revisions were developed over the past year, and the additional questions and sections were reviewed by FDIC examiners across the country, says Michael Jackson, Associate Director, Division of Supervision and Consumer Protection Technology Supervision Branch of the FDIC. [Read: FDIC's Updated ITRMP IT Officer's Questionnaire]
As part of the revision, the IT Officer's Questionnaire was enhanced to provide greater coverage of:
- Vendor management and outsourcing topics;
- Credit card and ACH (automated clearing house) payment system risks;
- An institution's overall information security program.
â€œThe updated FDIC ITRMP Questionnaire seeks to gain more insight into how banks are responding to known and new security threats,â€ says Aite Bank Regulations analyst Eva Weber. â€œAside from minor organizational changes to the document, there are some changes that will be helpful to banks such as embedded references to FDIC guidance and regulations.â€
New questions were added for payment system risks, including questions relating to the Originating Depository Financial Institution (ODFI), wire transfer, credit card merchant processing and remote deposit capture.
The IT Officer's Questionnaire is an essential element of the FDIC's information technology examinations of FDIC- supervised financial institutions. It must be completed and signed by an executive officer of the financial institution and returned to the FDIC examiner-in-charge prior to the on-site portion of a risk management examination.Industry Forces Spurred Change
When the FDIC began work on the updated questionnaire, Jackson notes, there were some industry trends that examiners saw could be addressed, and questions were revised to expand on these new issues.
â€œWe try to give the examiners a voice in changes to the questionnaire,â€ Jackson says. â€œWe saw need for scrutiny on remote deposit capture as an emerging technology -- we wanted banks to realize the risk involved when moving into remote deposit capture.â€
A "Vendor Management and Service Provider Oversight" section was added to the questionnaire to reflect potential reliance on outside firms for technology-related products and services.
â€œWe wanted to give banks some areas they need to consider when working with vendors, and that they should consider all their vendors in this questionnaire, regardless of whether they are long-established or new vendors,â€ Jackson says. â€œEspecially related to what that vendor is doing for the bank, and assess risk accordingly -- what personal data theyâ€™re handling.â€
One area where the FDIC wanted to increase focus was credit cards. According to Jackson the FDIC wants to improve procedures in that area. â€œWeâ€™re trying to get the merchants and acquiring banks in line,â€ he says. â€œMerchants are sponsored by banks, and in turn these banks need to look closely at the merchantsâ€™ controls to ensure they are where they should be.â€
Did the TJX breach have any impact on the credit card merchant processing portion being added?
â€œIt would be very difficult to say there is no connection,â€ Jackson says. â€œWhenever there is a breach, we need to have a response. We looked at what already exists out there in the credit card merchant processing, for acquiring and issuing banks, and the majority of it is voluntary compliance with such initiatives as PCI. A lot of the things that banks have to adhere to are related to the PCI requirements.â€New Resources Added
While the questionnaire still has the yes/no format, the response to each question allows banks to elaborate on points that need to be clarified. â€œThis allows the examiner a better window in to what the institution is doing, in more detail, so they may focus on areas that need improvement,â€ Jackson says.
The questionnaire also gives institutions a lot of leeway, he says, â€œBecause we point them to other references and other guidance and to the regulations, and then they have to apply it appropriately to their organization. If there is a particular instance of something going on, say a breach notification, they go to the notification guidance to see if it applies, and then respond appropriately.â€
The changes include adding embedded references to the questionnaire. This change was based on examinersâ€™ feedback. Jackson cautions that institutions should realize that this is not comprehensive. â€œWeâ€™ve only included one or two references, and it is not all encompassing. It is more like a jumping off point.â€
Jackson advises banks begin reviewing the questionnaire now. Find out what applies to them, and where they may need additional resources.
As part of the update, the summary section for Part 364, Appendix B, Interagency Guidelines Establishing Information Security Standards, was replaced with a reference document that maps applicable questionnaire items to the Guidelines. This reference document assists financial institution management in conducting self-assessments of information security programs. Evaluating compliance with the Guidelines is part of every IT examination.
The majority of FDIC-regulated banks have already had at least one examination under the old version of the ITRMP. For the pre-planning process, Jackson suggests that banks look at these new areas, along with speaking to their examiner, if theyâ€™re not clear on any sections.