Federal Financial Institutions Examination Council
|For Immediate Release||October 21, 2004|
Federal Financial Institution Regulatory Agencies
Issue Guidance on
The Federal Financial Institutions Examination Council (FFIEC) today published guidance for examiners, financial institutions and technology service providers on the acquisition and use of free and open source software (FOSS). FOSS refers to software that users are allowed to run, study, modify and redistribute without paying a licensing fee. Some of the most well-known examples of FOSS are the Linux operating system, Apache web server, and mySQL database. The use of FOSS is increasing within the mainstream information technology and financial services industries.
The agencies are of the opinion that the use of FOSS does not pose risks that are fundamentally different from risks presented by proprietary or self-developed software. However, the acquisition and use of FOSS necessitates implementation of unique risk management practices.
This guidance supplements the FFIEC IT Examination Handbook, "Development and Acquisition Booklet" by addressing strategic, operational, and legal risk considerations in acquiring and using FOSS.
Attachment: Risk Management of Free and Open Source Software
The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions. The Council has five member agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. The Council's activities are supported by interagency task forces and by an advisory State Liaison Committee, comprised of five representatives of state agencies that supervise financial institutions.