To All Depository Institutions and Others Concerned in the Second Federal Reserve District:
In a press release, the Federal Financial Institutions Examination Council (FFIEC) issued revised guidance on electronic banking (e-banking), information technology (IT) audit, and the FedLine® electronic funds transfer application. The guidance, contained in three booklets, is for examiners, financial institutions and technology providers.
The E-Banking Booklet addresses risks and risk management practices applicable to e-banking activities. The booklet contains guidance and examination procedures to evaluate the quality of risk management related to such activities in financial institutions and technology service providers.
The Audit Booklet provides guidance on risk-based IT audit practices of financial institutions and technology providers. It builds on the agencies' existing audit guidance and emphasizes the responsibilities of all levels of management, including the board of directors, for establishing a sound audit program. The booklet incorporates changes to the audit process brought about by new legislation enacted since 1996, including the Gramm-Leach-Bliley Act of 1999 and the Sarbanes-Oxley Act of 2002.
The FedLine® Booklet provides guidance on the appropriate control considerations for financial institutions using the Federal Reserve's FedLine® application. The booklet describes policies and procedures necessary to operate FedLine in a safe and sound manner with detailed guidance on physical security, system configuration, and system parameter settings.
The booklets represent the latest in a series of updates to the 1996 FFIEC Information Systems Examination Handbook (Handbook). The FFIEC is updating the Handbook to address significant changes in technology since 1996 and to incorporate a risk-based examination approach. The booklets are being distributed electronically and are available at www.ffiec.gov/guides.htm.
Questions on this matter may be directed at this Bank to Arthur G. Angulo, Assistant Vice President, Operational Risk Department.