Federal Financial Institutions Examination Council
|For Immediate Release||July 15, 2004|
Guidance on Information Technology Management and Outsourcing Technology Services Released by Federal Financial Institution Regulators
The Federal Financial Institutions Examination Council (FFIEC) today issued revised guidance for examiners, financial institutions, and technology service providers on two topics: managing financial institutions' information technology (IT) activities and outsourcing technology services.
The Management Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' information technology activities. Sound IT management is critical to the performance and success of a financial institution. An institution capable of aligning its IT activities to support its business strategies adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall strategic planning and corporate governance efforts.
The Outsourcing Technology Services Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' outsourcing IT activities, including service provider selection, contract issues, and ongoing monitoring of the relationship. The booklet also includes guidance on the risks and risk-management issues unique to foreign service providers. Outsourcing of an activity does not relieve management and the board of directors of their responsibility to ensure the institution's data are processed in a secure environment and the integrity of the data is maintained. Thus, ongoing monitoring of the relationship is crucial to ensure key terms of service level agreements are followed, confidentiality of information is safeguarded, and the service provider maintains operational stability.
These booklets represent the latest in a series of updates to the 1996 FFIEC Information Systems Examination Handbook (Handbook). The FFIEC has updated the Handbook to address significant changes in technology since 1996 and to incorporate a risk-based examination approach. The updates are being issued in separate booklets that eventually will replace all chapters of the Handbook and comprise the new FFIEC Information Technology Examination Handbook. Future booklets will cover Operations and Wholesale Payment Systems. With the release of the Outsourcing Technology Services Booklet, the FFIEC guidance Risk Management of Outsourced Technology Services, dated November 28, 2000, is rescinded.
The booklets are being distributed electronically and are available at www.ffiec.gov/guides.htm.
FRB Susan Stawick 202-452-3128
The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions. The Council has five member agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. The Council's activities are supported by interagency task forces and by an advisory State Liaison Committee, comprised of five representatives of state agencies that supervise financial institutions.