OCC BULLETIN 2003-41
Subject: FFIEC Information Technology Examination Handbook
Date: October 2, 2003
To: Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers and Software Vendors, Department and Division Heads, and All Examining Personnel
Description: E-Banking, Audit, and FedLine Booklets
The guidance attached to this bulletin continues to apply to federal savings associations.
The Federal Financial Institutions Examination Council (FFIEC) has issued updated guidance in three booklets on electronic banking (e-banking), information technology (IT) audit, and the FedLine electronic funds transfer application. These booklets are the most recent in a series that will completely update and replace the 1996 FFIEC Information Systems (IS) Examination Handbook. The work programs contained in the booklets represent expanded procedures that examiners can use if appropriate for the risk and complexity of the bank's operations.
The Audit Booklet rescinds chapter 8, and the FedLine Booklet rescinds chapter 19 of the 1996 FFIEC IS Examination Handbook. The E-Banking Booklet replaces the OCC Internet Banking Handbook and OCC Bulletin 98-38, "Technology Risk Management: PC Banking."
This booklet reflects the OCC's views on the risks specific to e-banking and provides bankers and examiners with guidance on those risks and the risk management issues associated with the delivery of e-banking products and services.
Banks face unique risks based on the choices they make when implementing and enhancing their e-banking services. Decisions on network Internet connectivity, outsourcing various system components, and the specific products and services affect the level of risk and the complexity of risk management. Senior management and boards of directors must understand these risks before investing in and expanding their e-banking activities. They need to integrate the e-banking-related controls into their existing strategic plan, information security program, vendor management process, and business continuity plans. Banks must have appropriate controls, testing, and expertise for all internally managed e-banking system components. In addition, banks with outsourced e-banking processes should carefully select and monitor service providers to ensure that appropriate controls exist. The bank can outsource the process or service, but remains responsible for the adequacy of the controls to ensure confidentiality, integrity, and availability.
Senior management and the board should look beyond the IT planning and control issues and involve all affected stakeholders in their e-banking activities including auditors, compliance management, and the various lines of business.
This booklet provides bankers and examiners with guidance on maintaining an effective risk-based IT audit program. Technology and related operational controls are essential to safe and sound banking. Banks must have appropriate audit programs that incorporate IT coverage based on the nature and complexity of their operations. The IT audit program should be consistent with the overall audit program described in the Comptroller of the Currency's (OCC) Internal and External Audit Handbook. IT audit programs should define the appropriate scope, expertise, independence, and frequency of coverage to address areas such as payment systems, Internet connectivity, networks, software applications, access controls, and systems development. The audit program should also incorporate the oversight of critical service providers through third-party audit reports and direct audit coverage when third-party coverage is insufficient.
The FedLine Booklet provides bankers and examiners with guidance on security and control expectations for the Federal Reserve Banks' FedLine application.1 FedLine provides community banks with access to wire transfer services. The ability to transfer funds makes FedLine one of the highest risk applications in most community banks. If not adequately controlled, a person could generate unauthorized wire transfers of sufficient size or volume to jeopardize the safety and soundness of the bank. National banks have the ability to set automated and procedural controls that support segregation of duties, dual control, large item reviews, audit trails, and operator accountability. Senior management should implement the recommended controls and system settings or justify instances where they decide not to implement the recommendations to the board.
The attached FFIEC press release describes the handbook update process and provides the following link [www.ffiec.gov/guides.htm] to electronic versions of all three booklets. To accommodate banks with limited access to the Internet, the OCC will also include these booklets in the next release of e-files, the CD-based library of OCC publications provided to all national banks. Any bank that is not able to download the booklets may order printed copies. Please send your request to the Office of the Comptroller of the Currency, 400 7th Street, SW, Washington, DC 20219.
Other questions regarding these booklets should be directed to your OCC supervisory office or the Bank Technology Division at (202) 649-6340.
Ralph E. Sharpe