OCC Bulletin 2015-9| February 6, 2015
FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet
To
Chief Executive Officers of All National Banks, Federal Branches and Agencies, and Federal Savings Associations; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties
Summary
The Federal Financial Institutions Examination Council (FFIEC) has released a new appendix, “Strengthening the Resilience of Outsourced Technology Services,” to the “Business Continuity Planning” booklet of the FFIEC Information Technology Examination Handbook. The new appendix ensures that the booklet aligns with regulatory guidance on third-party relationship risk management and incorporates emerging risks, such as cyber resilience risk concerns. “Business Continuity Planning” is one of the 11 booklets comprising the FFIEC IT Examination Handbook.
Note for Community Banks
This guidance applies to all national banks and federal savings associations (collectively, banks) with outsourced technology services. Community banks should adopt risk management practices commensurate with the level of risk and complexity of their outsourced services. A community bank’s board and management should identify those third-party relationships that involve critical technology services and ensure that the bank has risk management practices in place to assess, monitor, and manage the risks.
Highlights
Appendix J highlights and strengthens the “Business Continuity Planning” booklet in four specific areas:
- Third-party management
- Third-party capacity
- Testing with third-party technology service providers
- Cyber resilience
Financial institutions should partner with their technology service provider(s) as needed to strengthen the resilience of outsourced technology as recommended through this guidance.
Background
On October 30, 2013, the Office of the Comptroller of the Currency issued OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance.” Because many financial institutions depend on third-party providers to support critical banking operations, the FFIEC incorporated these principles, along with those from other regulatory guidance, to update the “Business Continuity Planning” booklet. The updated booklet more effectively addresses interdependencies of third-party services in a financial institution’s overall business resilience strategy.
As indicated in the attached FFIEC news release, the FFIEC IT Examination Handbook is available electronically at http://ithandbook.ffiec.gov.
For further information, contact Kevin Greenfield, Director, Bank Information Technology, at (202) 649-6340.
Bethany Dugan
Deputy Comptroller for Operational Risk