Federal Financial Institutions Examination Council
|For Immediate Release||August 26, 2004|
Guidance on Operations and Wholesale Payment Systems
The Federal Financial Institutions Examination Council (FFIEC) today issued revised guidance for examiners, financial institutions, and technology service providers on two topics: information technology (IT) operations and wholesale payment systems.
The Operations Booklet provides guidance on the risks and risk management practices applicable to financial institutions' technology operations. Effective support and delivery from IT operations are vital to a financial institution's performance and success. The evolving role that technology plays in supporting the business function has become increasingly complex. IT operations have become more dynamic and include distributed environments, integrated applications, telecommunications options, Internet connectivity, and an array of computer platforms. The booklet discusses tactical and strategic support and delivery risks and the controls that should be in place to address them. The booklet also includes examination procedures to evaluate the quality of risk management related to these activities in financial institutions and technology service providers.
The Wholesale Payment Systems Booklet provides guidance on the risks and risk management practices applicable to financial institutions' wholesale payment systems activities, including interbank and intrabank payment, messaging, and securities settlement systems. Financial institutions play an important role in wholesale payments systems. However, they face increasing challenges to meet demands for resiliency and reliability, while continuing to develop and deploy innovative payment solutions to meet expanding global payment processing demands. These challenges pose increased risk to financial institutions and require greater diligence to ensure that confidentiality of information, system and data integrity, system availability, and regulatory compliance are maintained. Wholesale payment system activities require careful planning and coordination between IT and business units, and their operation must include strong internal controls and ongoing monitoring. The Wholesale Payment Systems Booklet includes examination procedures to evaluate the quality of risk management related to these activities in financial institutions and technology service providers.
These booklets represent the last in the present series of updates to the 1996 FFIEC Information Systems Examination Handbook (1996 Handbook). The updates address significant changes in technology since 1996 and incorporate a risk-based examination approach. The updates have been issued in separate booklets, replacing all chapters of the 1996 Handbook, and now comprise the new FFIEC Information Technology Examination Handbook.
With the release of these last two booklets, the 1996 Handbook is now completely retired. Chapters 1 through 23 of the 1996 Handbook were rescinded with the issuance of various booklets. Chapter 24 and 26 through 30 contained laws and guidance related to the topic of IT issued by various FFIEC agencies. Please refer to the resources section of the FFIEC IT Examination Handbook booklets or the individual agencies' websites for this information.
With the issuance of the new FFIEC Information Technology Examination Handbook, several Supervisory Policies (SP) found in Chapter 25 of the 1996 Handbook have been rescinded. These are: SP-2, Uniform Interagency Rating System for Data Processing Operations, October 1978; SP-3, Joint Interagency Issuance on End-User Computing Risks, January 1988; SP-4, Supervisory Policy On Large Scale Integrated Financial Software Systems (LSIS), November 1988; SP-5, Interagency Policy On Contingency Planning For Financial Institutions, July 1989; SP-6, Interagency Statement on EDP Service Contracts, January 1990; SP-7, Interagency Policy on Strategic Information Systems Planning for Financial Institutions, March 1990; SP-8, Interagency Document on EDP Risks in Mergers & Acquisitions, September 1991; SP-9, Interagency Supervisory Statement on EFT Switches and Network Services, April 1993; and, SP-10, Control And Security Risks in Electronic Imaging Systems, December 1993. The two remaining SPs, SP-1, Interagency EDP Examination, Scheduling, and Distribution Policy, September 1991 Revised, and SP-11, Enhanced Supervision Program (ESP) for Multidistrict Data Processing Servicers (MDPS), January 1995, can be found under Resources in the Supervision of Technology Service Providers Booklet in the FFIEC IT Examination Handbook.
The booklets are being distributed electronically and are available at www.ffiec.gov/guides.htm.
FRB Susan Stawick 202-452-3128
The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions. The Council has five member agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. The Council's activities are supported by interagency task forces and by an advisory State Liaison Committee, comprised of five representatives of state agencies that supervise financial institutions.