FDIC Issues New Pre-Exam IT Questionnaire

New Questions Focus on Vendor Management, Payment Systems
FDIC Issues New Pre-Exam IT Questionnaire
To keep up with ever-changing technologies and security risks, the FDIC last week released an updated version of its Information Technology (IT) examination procedures for FDIC-supervised financial institutions. Better known as the IT Risk Management Program Examination Procedures or (IT-RMP), revisions were added to provide more coverage in service areas that the FDIC sees as posing new or emerging risk management issues.

The revisions were developed over the past year, and the additional questions and sections were reviewed by FDIC examiners across the country, says Michael Jackson, Associate Director, Division of Supervision and Consumer Protection Technology Supervision Branch of the FDIC. [Read: FDIC's Updated ITRMP IT Officer's Questionnaire]

See Also: New OnDemand: How CISOs Can Ace Cyber Risk Reporting to the Board and the SEC

As part of the revision, the IT Officer's Questionnaire was enhanced to provide greater coverage of:

  • Vendor management and outsourcing topics;
  • Credit card and ACH (automated clearing house) payment system risks;
  • An institution's overall information security program.

“The updated FDIC ITRMP Questionnaire seeks to gain more insight into how banks are responding to known and new security threats,” says Aite Bank Regulations analyst Eva Weber. “Aside from minor organizational changes to the document, there are some changes that will be helpful to banks such as embedded references to FDIC guidance and regulations.”

New questions were added for payment system risks, including questions relating to the Originating Depository Financial Institution (ODFI), wire transfer, credit card merchant processing and remote deposit capture.

The IT Officer's Questionnaire is an essential element of the FDIC's information technology examinations of FDIC- supervised financial institutions. It must be completed and signed by an executive officer of the financial institution and returned to the FDIC examiner-in-charge prior to the on-site portion of a risk management examination.

Industry Forces Spurred Change
When the FDIC began work on the updated questionnaire, Jackson notes, there were some industry trends that examiners saw could be addressed, and questions were revised to expand on these new issues.

“We try to give the examiners a voice in changes to the questionnaire,” Jackson says. “We saw need for scrutiny on remote deposit capture as an emerging technology -- we wanted banks to realize the risk involved when moving into remote deposit capture.”

A "Vendor Management and Service Provider Oversight" section was added to the questionnaire to reflect potential reliance on outside firms for technology-related products and services.

“We wanted to give banks some areas they need to consider when working with vendors, and that they should consider all their vendors in this questionnaire, regardless of whether they are long-established or new vendors,” Jackson says. “Especially related to what that vendor is doing for the bank, and assess risk accordingly -- what personal data they’re handling.”

One area where the FDIC wanted to increase focus was credit cards. According to Jackson the FDIC wants to improve procedures in that area. “We’re trying to get the merchants and acquiring banks in line,” he says. “Merchants are sponsored by banks, and in turn these banks need to look closely at the merchants’ controls to ensure they are where they should be.”

Did the TJX breach have any impact on the credit card merchant processing portion being added?

“It would be very difficult to say there is no connection,” Jackson says. “Whenever there is a breach, we need to have a response. We looked at what already exists out there in the credit card merchant processing, for acquiring and issuing banks, and the majority of it is voluntary compliance with such initiatives as PCI. A lot of the things that banks have to adhere to are related to the PCI requirements.”

New Resources Added
While the questionnaire still has the yes/no format, the response to each question allows banks to elaborate on points that need to be clarified. “This allows the examiner a better window in to what the institution is doing, in more detail, so they may focus on areas that need improvement,” Jackson says.

The questionnaire also gives institutions a lot of leeway, he says, “Because we point them to other references and other guidance and to the regulations, and then they have to apply it appropriately to their organization. If there is a particular instance of something going on, say a breach notification, they go to the notification guidance to see if it applies, and then respond appropriately.”

The changes include adding embedded references to the questionnaire. This change was based on examiners’ feedback. Jackson cautions that institutions should realize that this is not comprehensive. “We’ve only included one or two references, and it is not all encompassing. It is more like a jumping off point.”

Jackson advises banks begin reviewing the questionnaire now. Find out what applies to them, and where they may need additional resources.

As part of the update, the summary section for Part 364, Appendix B, Interagency Guidelines Establishing Information Security Standards, was replaced with a reference document that maps applicable questionnaire items to the Guidelines. This reference document assists financial institution management in conducting self-assessments of information security programs. Evaluating compliance with the Guidelines is part of every IT examination.

The majority of FDIC-regulated banks have already had at least one examination under the old version of the ITRMP. For the pre-planning process, Jackson suggests that banks look at these new areas, along with speaking to their examiner, if they’re not clear on any sections.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.