OCC Bulletin 2015-9| February 6, 2015

FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet

To

Chief Executive Officers of All National Banks, Federal Branches and Agencies, and Federal Savings Associations; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

The Federal Financial Institutions Examination Council (FFIEC) has released a new appendix, “Strengthening the Resilience of Outsourced Technology Services,” to the “Business Continuity Planning” booklet of the FFIEC Information Technology Examination Handbook. The new appendix ensures that the booklet aligns with regulatory guidance on third-party relationship risk management and incorporates emerging risks, such as cyber resilience risk concerns. “Business Continuity Planning” is one of the 11 booklets comprising the FFIEC IT Examination Handbook.

Note for Community Banks

This guidance applies to all national banks and federal savings associations (collectively, banks) with outsourced technology services. Community banks should adopt risk management practices commensurate with the level of risk and complexity of their outsourced services. A community bank’s board and management should identify those third-party relationships that involve critical technology services and ensure that the bank has risk management practices in place to assess, monitor, and manage the risks.

Highlights

Appendix J highlights and strengthens the “Business Continuity Planning” booklet in four specific areas:

  • Third-party management
  • Third-party capacity
  • Testing with third-party technology service providers
  • Cyber resilience

Financial institutions should partner with their technology service provider(s) as needed to strengthen the resilience of outsourced technology as recommended through this guidance.

Background

On October 30, 2013, the Office of the Comptroller of the Currency issued OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance.” Because many financial institutions depend on third-party providers to support critical banking operations, the FFIEC incorporated these principles, along with those from other regulatory guidance, to update the “Business Continuity Planning” booklet. The updated booklet more effectively addresses interdependencies of third-party services in a financial institution’s overall business resilience strategy.

As indicated in the attached FFIEC news release, the FFIEC IT Examination Handbook is available electronically at http://ithandbook.ffiec.gov.

For further information, contact Kevin Greenfield, Director, Bank Information Technology, at (202) 649-6340.

 

Bethany Dugan
Deputy Comptroller for Operational Risk

Related Link

  • “Appendix J: Strengthening the Resilience of Outsourced Technology Services” of the “Business Continuity Planning” booklet (PDF)