To All Depository Institutions and Others Concerned in the Second Federal Reserve District:
The Federal Financial Institutions Examination Council (FFIEC) has published guidance for examiners, financial institutions and technology services providers on the acquisition and use of free and open source software (FOSS). FOSS refers to software that users are allowed to run, modify and redistribute without paying a licensing fee. Some of the most well-known examples of FOSS are the Linux operating system, Apache web server, and mySQL databases. The use of FOSS is increasing within the mainstream information technology and financial services industries.
The agencies are of the opinion that the use of FOSS does not pose risks that are fundamentally different from risks presented by proprietary or self-developed software. However, the acquisition and use of FOSS necessitates implementation of unique risk management practices.
The guidance supplements FFIEC IT Examination Handbook, “Development and Acquisition Booklet” by addressing strategic, operational, and legal risk considerations in acquiring and using FOSS.
Assistant Vice President
Operational Risk Department