Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Bank Examinations > Technology Regulations and Publications for Financial Institutions




Technology Regulations and Publications for Financial Institutions

Technology Publications

The documents referenced below are grouped by topic.  Within each topic, they are listed in reverse chronological order (latest first).  Documents may be listed under more than one topic heading.  The hyperlink shows the format of the document, e.g. HTML, TEXT.  Files marked PDF are Portable Document Format files. Adobe Acrobat, a reader available for free on the Internet, is required to display or print PDF files. This site's PDF file size ranges from 8Kb to 474Kb with the average size of about 20 to 30Kb. You may also request a printed copy of the document.

Anti-TerrorismInternet Security
Customer Information SafeguardsMoney Laundering
Electronic Banking (on-line delivery of financial services)Nondeposit Investment Products
Electronic DisclosuresPretext Calling
Electronic Funds TransferPrivacy
Equal Credit OpportunityRisk Management
Examination ProceduresSuspicious Activity Reports
Fair Credit ReportingThird-Party Relationships
Identity TheftTruth in Lending
Information SecurityTruth in Savings
Information Sharing

 

Anti-Terrorism

Bank Secrecy Act/Anti-Money Laundering Examination Infobase (www.ffiec.gov)
FFIEC 7/28/2005
The Federal Financial Institutions Examination Council (FFIEC) today announced the release of its Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Examination InfoBase (InfoBase), an automated tool for examiners and industry that provides information on the FFIEC BSA/AML Examination Manual (Manual) released on June 30, 2005. This tool will assist examiners and industry to more easily navigate and facilitate use of the Manual. The InfoBase features the entire Manual, including background materials, examination procedures, and appendices, as well as frequently asked questions and links to other resources that may be helpful in understanding BSA/AML requirements and examination expectations.

Bank Secrecy Act/Anti-Money Laundering Examination Manual (www.ffiec.gov)
FFIEC 6/23/2005
The FFIEC BSA/AML Examination Manual was developed by the Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS) (collectively referred to as the federal banking agencies) in collaboration with the Financial Crimes Enforcement Network (FinCEN), the delegated administrator of the BSA. In addition, through the Conference of State Bank Supervisors, the state banking agencies played a consultative role. The Office of Foreign Assets Control (OFAC) collaborated on the development of core overview and examination procedures addressing compliance with regulations enforced by OFAC.

The FFIEC BSA/AML Examination Manual emphasizes a banking organization's responsibility to establish and implement risk-based policies, procedures, and processes to comply with the BSA and safeguard its operations from money laundering and terrorist financing. The BSA/AML examination procedures will guide examiners through an evaluation of a banking organization's BSA/AML compliance program regardless of its size or business lines. The majority of the FFIEC BSA/AML Examination Manual provides narrative guidance and resource materials rather than specific examination procedures. This includes an overview of the BSA requirements and the federal banking agencies' supervisory expectations in this area.

Computer Software Due Diligence Guidance on Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory Compliance
Federal Deposit Insurance Corporation 11/16/2004
The FDIC is issuing guidance to financial institutions on performing proper due diligence when selecting computer software or a service provider. This due diligence includes making sure that the software or service provider is compliant with applicable laws, including the Bank Secrecy Act, which includes the USA PATRIOT Act.

Bank Secrecy Act Examination Procedures for Customer Identification Programs
Interagency 7/28/2004
The federal financial institutions regulatory agencies today issued Bank Secrecy Act (B.S.A.) procedures for examining each domestic and foreign banking organization’s customer identification program (CIP) which is required by section 326 of the USA PATRIOT Act (codified in the B.S.A. at 31 U.S.C. 5318(l)). The procedures are designed to help financial institutions fully implement the new CIP requirements and facilitate a consistent supervisory approach among the federal financial institutions regulatory agencies.

FinCEN 314(a) Distribution List to be Compiled from Contact Information on the Call Report (www.occ.gov)
Office of the Comptroller of the Currency 3/4/2004
Pursuant to section 314(a) of the USA PATRIOT Act, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) developed and implemented an electronic system for law enforcement to request information about suspected terrorists and money launderers from financial institutions. The purpose of this alert is to inform national banks and federal branches of the date that the conversion to the automated Call Report distribution list will occur beginning on March 16, 2004.

Interim Sponsorship Policy for Government Emergency Telecommunications Service (GETS) Cards
Federal Deposit Insurance Corporation 8/6/2002
Private sector financial institutions may request GETS Cards by submitting an application to their primary federal regulator. Institutions should limit GETS Cards requests to key personnel with crisis management responsibilities or other senior management personnel responsible for carrying out communications during times of emergency. The primary federal regulator will recommend federal sponsorship of institutions that it considers critical to the performance of national security or emergency preparedness functions necessary to maintain the national economic posture during a national or regional emergency.

Section 312 of the U.S. Patriot's Act - Due Diligence for Correspondent and Private Banking Accounts - PDF (www.ffiec.gov) 114k (PDF Help)
Federal Reserve Board 7/23/2002
FRB SR-02-18 offering guidance under Treasury Interim Final Rule

Information Sharing Pursuant to Section 314(b) of the USA Patriot Act - PDF (www.ffiec.gov) 114k (PDF Help)
Federal Reserve Board 3/14/2002
This SR letter describes a Treasury Regulation concerning the sharing of information about terrorist financing and money laundering among financial institutions.

Anti-Money Laundering Measures
Federal Deposit Insurance Corporation 12/28/2001
Provides the Department of the Treasury Interim Guidance on how to comply with the requirements of sections 313 and 319(b) of the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 (Pub. L. No. 107-56 (10-26-01)). Issued as FIL 110-2001 (12/28/01).

USA PATRIOT Act Anti-Money-Laundering Provisions - Word (www.occ.gov) 53k (Word Help)
Office of the Comptroller of the Currency 12/19/2001
Provides a discussion on key provisions of the USA PATRIOT Act. The Act establishes a variety of new and enhanced ways of combating international terrorism. The provisions that affect national banks (and other financial institutions) most directly are contained in Title III, which primarily amends the Bank Secrecy Act (BSA) to provide the Secretary of the Treasury and other Federal departments and agencies with enhanced authority to identify, deter, and punish international money laundering. Issued as AL 2001-12 (12/19/01).

Infrastructure Threats from Cyber-Terrorists (www.occ.gov)
Office of the Comptroller of the Currency 3/5/1999
Identifies threats and vulnerabilities created by cyber-terrorism to financial services industry. Issued as OCC Bulletin 99-9 (3/5/99).

Customer Information Safeguards

Frequently Asked Questions on Guidance Entitled Authentication in an Internet Banking Environment - PDF (www.ffiec.gov) (PDF Help)
FFIEC August 15, 2006
The Federal Financial Institutions Examination Council (FFIEC) member agencies today released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005.

The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues.

Guidance for Financial Institutions on the Use of Foreign-Based Third-Party Service Providers
Federal Deposit Insurance Corporation June 21, 2006
The FDIC has prepared the attached guidance to address the risks inherent in outsourcing relationships between U.S. financial institutions and foreign-based third-party service providers. The guidance provides steps that institutions should take to successfully manage such risks.

Interagency Guidelines Establishing Information Security Standards Small-Entity Compliance Guide
Joint Agency Release December 14, 2005
This Small-Entity Compliance Guide is intended to help financial institutions2 comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines).3 The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs.

Authentication in an Internet Banking Environment (www.ffiec.gov)
Federal Financial Institutions Examination Council (FFIEC) 10/12/2005
The Federal Financial Institutions Examination Council (FFIEC) has issued guidance, “Authentication in an Internet Banking Environment.” For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution’s progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.

Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice - PDF (www.occ.gov) 550k (PDF Help)
Interagency 3/23/2005
The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The guidance interprets the agencies’ customer information security standards and states that financial institutions should implement a response program to address security breaches involving customer information.

Electronic Record Keeping (www.occ.gov)
Office of the Comptroller of the Currency 6/21/2004
This advisory letter highlights issues regarding bank electronic record systems in light of the E-SIGN Act. 15 USC 7001, et seq. The letter provides a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems.

Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks- PDF 245k (PDF Help)
Federal Deposit Insurance Corporation 6/16/2004
This study presents the FDIC's findings with regards to the associated risks of offshore outsourcing (also known as "offshoring") by financial institutions from a safety and soundness perspective and with particular emphasis on the threats posed to customer privacy.

Bank Use of Foreign-Based Third-Party Service Providers - PDF (www.ffiec.gov) 159k (PDF Help)
Office of the Comptroller of the Currency 5/15/2002
This bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank's operations.

Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information
Federal Deposit Insurance Corporation 8/4/2001
Assists examiners in assessing the level of compliance with the interagency Guidelines Establishing Standards for Safeguarding Customer Information, as mandated by section 501(b) of the Gramm-Leach-Bliley Act of 1999. Provides the purpose of the exam procedures and guidance in performing the exam procedures. Issued as 501(b) Exam Procedures (8/24/01).

Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information - PDF (www.occ.gov) 131k (PDF Help))
Office of the Comptroller of the Currency 7/18/2001
Provides risk-based procedures that allow examiners to tailor the exam scope according to the size and complexity of the bank, the nature and scope of its activities, and the level of risk assumed by the institution. Typically, OCC examiners will use these procedures in the OCC’s largest banks, which have complex IT environments, significant information security concerns, or where less experienced examiners need more detailed guidance. Issued as Examination Procedures (7/18/01).

Guidelines for Safeguarding Customer Information - PDF (www.ffiec.gov) 651k (PDF Help)
Joint Agency Release 5/31/2001
The Guidelines implement Section 501 of the Gramm-Leach-Bliley Act requiring fedral banking agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer records and information.

Privacy Regulation Compliance - PDF (www.occ.gov) 247k (PDF Help)
Office of the Comptroller of the Currency 5/29/2001
OCC Staff Responses to Questions from February 13-14, 2001, Telephone Seminar on Privacy Regulation Compliance. Responses to Questions on Privacy Rule Compliance (5/29/01).

Privacy of Consumer Financial Information
Joint Agency Release 5/17/2001
Examination procedures to review supervised financial institutions for compliance with the agencies' final privacy regulation Issued at 65 FR 35162 (6/1/00)). By FDIC, FRB, OCC, OTS The procedures summarize the basic requirements of the regulation; identify examination objectives; establish procedures for examining for compliance with the regulation; and provide an examination checklist for use in verifying compliance. Examination Procedures for Privacy Rule (5/17/01).

Guidance on Identity Theft and Pretext Calling
Federal Deposit Insurance Corporation 5/9/2001
Addresses how banks should protect customer information against identity theft. Also included is guidance on completing Suspicious Activity Reports to report offenses associated with identity theft and pretext calling, i.e., posing as a customer or someone authorized to have customer information in order to obtain confidential customer data. Guidance on Identity Theft and Pretext Calling (5/9/01).

Joint Interpretive Letter Concerning Sharing of Account Numbers for Use in Marketing - PDF (www.occ.gov) 100k (PDF Help)
Joint Agency Release 5/4/2001
Interagency response to a letter asking the Federal banking agencies to allow financial institutions to disclose unencrypted account numbers to a third party. (Certain information has been removed from the response to protect the privacy of the correspondent.)

Standards for Safeguarding Customer Information - PDF (www.ffiec.gov) 651k (PDF Help)
Joint Agency Release 5/1/2001
The federal banking agencies jointly issued guidelines establishing standards for safeguarding customer information (Guidelines), which will become effective July 1, 2001.1 The Guidelines implement section 501 of the Gramm- Leach-Bliley Act, which requires the agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for customer records and information. The Guidelines were issued by the Federal Reserve as appendices to Regulations H and Y, and apply to customer information maintained by state member banks, bank holding companies, Edge and agreement corporations, and uninsured state-licensed branches and agencies of foreign banks.

Identity Theft and Pretext Calling - Word (www.occ.gov) 69k (Word Help)
Office of the Comptroller of the Currency 4/30/2001
Informs national banks about two areas of consumer bank, fraud identity theft and pretext calling, and advises them about measures to prevent and detect these types of fraud. Also supplements the interagency guidelines establishing standards to safeguard customer information by focusing on the protection of customer information specifically against identity theft and pretext calling. Issued as AL 2001-4

Identity Theft and Pretext Calling (www.federalreserve.gov)
Federal Reserve Board 4/26/2001
Addresses how state member banks and other banking organizations supervised by the FRB that provide products or services to the public or that maintain customer account information should protect customer information against identity theft. Also provides guidance on completing Suspicious Activity Reports that report offenses associated with identity theft and pretext calling. Issued as SR 01-11

Privacy Rule Handbook
Federal Deposit Insurance Corporation 1/25/2001
Explains basic requirements of 12 CFR Part 332 (the privacy rule described above); provides suggestions for implementing the rule to meet the July 1 deadline; suggests activities to monitor and maintain compliance; and describes in detail key terminology in the rule. (See, 65 FR 35162 (6/1/00) ) Privacy Rule Handbook (1/22/01).

Privacy Preparedness - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/22/2001
Helps prepare national banks for implementation of 12 CFR Part 40 . A questionnaire is attached to assist national banks in their preparation and in performing a self-assessment. Issued as AL 2001-2 (1/22/01). (See, also, Privacy Preparedness Questionnaire.)

Privacy Preparedness Questionnaire - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/22/2001
Helps prepare national banks for implementation of 12 CFR Part 40 . A questionnaire is attached to assist national banks in their preparation and in performing a self-assessment. Issued as AL 2001-2 (1/22/01). (See, also, Privacy Preparedness Questionnaire.)

Privacy Preparedness Check-up - PDF (www.ots.treas.gov) (PDF Help)
Office of Thrift Supervision 9/18/2000
Questions to assist examiners in determining efforts of institutional management to achieve compliance with 12 CFR 573. Privacy Preparedness Check-Up (9/18/00).

Privacy Laws and Regulations - PDF (www.occ.gov) 76k (PDF Help)
Office of the Comptroller of the Currency 9/8/2000
Summarizes federal laws and regulations relating to disclosure of consumer financial information to help national banks and subsidiaries understand their statutory obligations. (See, 65 FR 35162 (6/1/00) Privacy Laws and Regulations (9/8/00).

Financial Institution Web Site Privacy Survey
Federal Deposit Insurance Corporation 12/27/1999
Summarizes the Interagency Financial Institution Web Site Privacy Survey Report and encourages financial institutions to establish and follow a privacy policy that addresses fair information practice principles. Issued as FIL-113-99 (12/27/99).

Financial Institution Web Site Privacy Survey Report - PDF (www.ots.treas.gov) 231k (PDF Help)
Joint Agency Release 11/9/1999
Results of interagency survey of financial institution web sites to determine the extent financial institution web sites posts privacy policies and information practice statements. Report (11/9/99).

Electronic Commerce and Consumer Privacy
Federal Deposit Insurance Corporation 7/17/1999
Encourages financial institutions to be aware of consumer online privacy issues, and take voluntary, specific actions to address them. Online Privacy of Consumer Personal Information (8/17/98).

OCC Guidance to National Banks on Web Site Privacy Statements (www.occ.gov)
Office of the Comptroller of the Currency 5/4/1999
Provides national banks with examples of effective practices for informing consumers who access bank Internet sites about bank privacy policies for the collection and use of personal information. Issued as AL 99-06 (5/4/99).

Privacy and Accuracy of Personal Customer Information - PDF (www.ots.treas.gov) 691k (PDF Help)
Office of Thrift Supervision 11/3/1998
Recommends that savings associations notify customers of how they will use certain customer information. Issued as CEO Memo 97 (11/3/98).

Pretext Phone Calling
Joint Agency Release 9/2/1998
Alerts financial institutions to practice of pretext phone calling, which is a means of gaining access to customers' confidential account information by organizations and individuals who call themselves account information brokers. (Jointly prepared by FDIC, OCC, OTS, FRB, FBI, Secret Service, IRS, and Postal Inspection Service.) Issued as FIL-98-98 (9/2/98). Also issued by OCC as NR 98-86 (8/20/98) and by OTS as CEO Memo 97 (11/3/98)

Draft Community Bank Supervision booklet - PDF (www.occ.gov) 180k (PDF Help)
Office of the Comptroller of the Currency
For community banks, the OCC has incorporated less detailed procedures in the Community Bank Supervision booklet of the Comptroller’s Handbook. Attached is an advanced copy of the IT section that focuses on the adequacy of a bank’s risk management processes and controls to promote integrity, availability and confidentiality of automated information systems.

E-Banking Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council
This booklet, one of several comprising the FFIEC Information Technology Examination Handbook (IT Handbook), provides guidance to examiners and financial institutions on identifying and controlling the risks associated with electronic banking (e-banking) activities. The booklet primarily discusses e-banking risks from the perspective of the services or products provided to customers. This approach differs from other booklets that discuss risks from the perspective of the technology and systems that support automated information processing. To avoid duplication of material, this booklet refers the reader to other IT Handbook booklets for detailed explanations of technology-specific issues or controls.

Electronic Banking (on-line delivery of financial services)

Authentication in an Internet Banking Environment - PDF (www.ffiec.gov) 163k (PDF Help)
Federal Financial Institutions Examination Council (FFIEC) 10/12/2005
The Federal Financial Institutions Examination Council (FFIEC) has issued guidance, “Authentication in an Internet Banking Environment.” For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution’s progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.

NACHA Rule Changes (www.occ.gov)
Office of the Comptroller of the Currency
12/20/2004
The purpose of this OCC bulletin is to advise national banks and examiners of three amendments to National Automated Clearing House Association (NACHA) Operating Rules that became effective in 2004. As part of an effective risk management program, banks should implement procedures to ensure compliance with these and all other NACHA Operating Rules and related Office of the Comptroller of the Currency (OCC) and Federal Financial Institutions Examination Council (FFIEC) guidance. This bulletin supplements guidance on Automated Clearing House (ACH) activities outlined in the FFIEC IT Handbook, "Retail Payment Systems," dated March 2004.

Report to Congress on the Disclosure of Point-of-Sale Debit Fees - PDF (www.federalreserve.gov) (PDF Help)
Federal Reserve Board
11/182004
Reports on the disclosure of fees that a depository institution may impose when a customer chooses to secure a point-of-sale debit transaction by providing a personal identification number. Discusses the prevalence of PIN fees; the degree of compliance by depository institutions with current disclosure requirements; the adequacy of existing disclosures and the likely benefits and costs of new requirements for disclosure statements; and the feasibility of real-time disclosure.

Interagency Regulation CC Examination Procedures - PDF (www.occ.gov) (PDF Help)
Office of the Comptroller of the Currency
10/6/2004
The Board of Governors of the Federal Reserve System recently amended 12 CFR 229, Availability of Funds and Collection of Checks (Regulation CC), which implements the Check Clearing for the 21st Century Act (Check 21). Model form C-5A in Appendix C was effective on August 4, 2004, and paragraph (4) of Appendix D will become effective on January 1, 2006. All other changes are effective on October 28, 2004. The Federal Financial Institutions Examination Council's Task Force on Consumer Compliance approved updated interagency Regulation CC examination procedures for consumer compliance issues on October 6, 2004. The OCC plans to incorporate these procedures in an update to the Comptroller's handbook series. Until the revised handbook is issued, examiners should use the attached procedures.

The Power of Plastic: how banks are using technology to reach the unbanked by John D. Hawke, Jr., Comptroller of the Currency (www.occ.gov)
Office of the Comptroller of the Currency 10/2004
Community Developments Newsletter. The newsletter describes strategies to provide retail financial services to underserved communities and the approximately 10 million households in the U.S. that do not have access to banking services. It also contains success stories illustrating how banks are being innovative in developing and providing the technology and financial literacy needed to reach this market.

Remittances: A Gateway to Banking for Unbanked Immigrants - PDF (www.occ.gov) (PDF Help)
Office of the Comptroller of the Currency 9/15/2004
This edition of Community Developments Insights addresses the role of banks in providing money transfer services. and describes how banks can use these products to attract unbanked immigrants into the banking system. It also addresses some of the key risks and regulatory issues presented by bank involvement in these products. This publication also addresses a number of legal, compliance, and operational considerations that financial institutions should be aware of when offering remittance products. These include money laundering, customer identification, and third party provider risk.

Electronic Record Keeping (www.occ.gov)
Office of the Comptroller of the Currency 6/21/2004
This advisory letter highlights issues regarding bank electronic record systems in light of the E-SIGN Act. 15 USC 7001, et seq. The letter provides a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems.

Check Clearing For The 21st Century Act
Federal Deposit Insurance Corporation 5/21/2004
The FDIC is notifying FDIC-supervised institutions that they should begin planning for operational changes needed to implement the Check Clearing for the 21st Century Act. The Act facilitates check truncation and electronic check exchange by authorizing a new negotiable instrument called a "substitute check."

Payroll Cards: An Innovative Product for Reaching the Unbanked and Underbanked - PDF (www.occ.gov) 298k (PDF Help)
Office of the Comptroller of the Currency 10/1/2003
Background information on the gorwth of payroll cards and their potential for use by national banks to attract the nearly 10 million unbanked households into the financial mainstream.

Retail Payment Systems (www.ffiec.gov)
Federal Financial Institutions Examination Council 3/31/2004
The FFIEC IT Examination Handbook (IT Handbook), "Retail Payment Systems Booklet" (booklet), provides guidance to examiners, financial institutions, and technology service providers (TSP) on identifying and controlling information technology (IT)-related risks associated with retail payment systems and related banking activities. Financial institutions, either in consortiums or acting independently, remain the core providers to businesses and consumers for most retail payment instruments and services.
This booklet replaces chapters 20, "Retail EFT (ATM and POS)" and 21, "Automated Clearing House (ACH)," in the 1996 FFIEC Information Systems Examination Handbook. The booklet presents retail payment systems examination guidance in three parts, followed by examination procedures, a glossary, and references.

Network Security Vulnerabilities - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 4/24/2001
Alerts banks to potential threats in electronic banking systems and reminds banks and service providers to identify and correct network security vulnerabilities. Recent National Infrastructure Protection Center (NIPC) advisories report an increase in unauthorized activities targeting e-commerce Web sites and identify some common and frequently utilized vulnerabilities in commercially available hardware and software. These vulnerabilities may allow unauthorized access to bank and service provider systems. Unauthorized intrusions threaten the confidentiality, integrity, and availability of bank information systems and customer information. Issued as Alert 2001-4 (4-24-01).

Internet-Initiated ACH Debits/ACH Risks - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/29/2001
Alerts banks to specific Automated Clearing House (ACH) risks and emphasizes the importance of sound ACH risk management practices. Banks that transmit certain Internet-initiated ACH debits will be deemed to warrant that their customers who originate the entries use security measures that meet minimum standards of the National Automated Clearing House Association. Issued as AL 2001-3 (1/29/01).

Comptroller’s Corporate Manual on The Internet and The National Bank Charter - PDF (www.occ.gov) 222k (PDF Help)
Office of the Comptroller of the Currency 1/1/2001
This booklet provides guidance on these processes and the special issues and considerations presented by proposals for these types of banks. The Internet and The National Bank Charter

Tips for Safe Banking Over the Internet
Federal Deposit Insurance Corporation 9/21/2000
Tips for Safe Banking Over the Internet - An FDIC Brochure for Bank Customers. This brochure offers information and tips to help bank customers who are thinking about or already using online banking systems. It describes how to:
  • Confirm that an online bank is legitimate and that your deposits are insured
  • Keep your personal information private and secure
  • Understand your rights as a consumer
  • Learn where to go for more assistance from banking regulators
OCC Examination Handbook on Internet Banking - PDF (www.occ.gov) 226k (PDF Help)
Office of the Comptroller of the Currency 10/14/1999
National Bank examination procedures for Internet banking activities. Internet Banking Handbook (10/14/99).

Transactional Web Sites - PDF (www.ots.treas.gov) (PDF Help)
Office of Thrift Supervision 6/10/1999
Restates requirement under 12 CFR Part 555 (described above) for savings associations to file a 30-day written notice with OTS before establishing a transactional web site and offers guidance for developing a transactional web site. Issued as CEO Memo 109 (6/10/99).

Interagency Statement on Branch Names
Joint Agency Release 5/1/1998
Guidance urging insured depository institutions that intend to use a different name for a branch or other facility to take reasonable steps to ensure that customers do not become confused and believe that the facilities are separate institutions or that deposits in the different facilities are separately insured. The practice of insured depository institutions using different trade names over the Internet raises the same concerns. Accordingly, institutions intending to use different trade names over a computer network should take reasonable steps to ensure that customers will not be confused about either the identity of the insured depository institution or the extent of FDIC insurance coverage.

E-Banking Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council
This booklet, one of several comprising the FFIEC Information Technology Examination Handbook (IT Handbook), provides guidance to examiners and financial institutions on identifying and controlling the risks associated with electronic banking (e-banking) activities. The booklet primarily discusses e-banking risks from the perspective of the services or products provided to customers. This approach differs from other booklets that discuss risks from the perspective of the technology and systems that support automated information processing. To avoid duplication of material, this booklet refers the reader to other IT Handbook booklets for detailed explanations of technology-specific issues or controls.

Technology Risk Controls - PDF (www.ffiec.gov) 104k (PDF Help)
Office of Thrift Supervision
Guidance for insuring the integrity of data input, to protect against corruption of the data or the programming, and to test the accuracy of the output.

Electronic Disclosures

Report to Congress on the Disclosure of Point-of-Sale Debit Fees - PDF (www.federalreserve.gov) (PDF Help)
Federal Reserve Board
11/182004
Reports on the disclosure of fees that a depository institution may impose when a customer chooses to secure a point-of-sale debit transaction by providing a personal identification number. Discusses the prevalence of PIN fees; the degree of compliance by depository institutions with current disclosure requirements; the adequacy of existing disclosures and the likely benefits and costs of new requirements for disclosure statements; and the feasibility of real-time disclosure.

Electronic Consumer Disclosures and Notices (www.occ.gov)
Office of the Comptroller of the Currency 10/1/2004
Increasingly, national banks are replacing their paper-based consumer notices or disclosures with electronic disclosures. However, the failure to provide such electronic disclosures in a proper manner can expose the bank to significant compliance, transaction, and reputation risk. This advisory provides some background, and highlights issues that should be considered by national banks that provide electronic consumer disclosures.

Electronic Record Keeping (www.occ.gov)
Office of the Comptroller of the Currency 6/21/2004
This advisory letter highlights issues regarding bank electronic record systems in light of the E-SIGN Act. 15 USC 7001, et seq. The letter provides a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems.

Check Clearing For The 21st Century Act
Federal Deposit Insurance Corporation 5/21/2004
The FDIC is notifying FDIC-supervised institutions that they should begin planning for operational changes needed to implement the Check Clearing for the 21st Century Act. The Act facilitates check truncation and electronic check exchange by authorizing a new negotiable instrument called a "substitute check."

Payroll Cards: An Innovative Product for Reaching the Unbanked and Underbanked - PDF (www.occ.gov) 298k (PDF Help)
Office of the Comptroller of the Currency 10/1/2003
Background information on the gorwth of payroll cards and their potential for use by national banks to attract the nearly 10 million unbanked households into the financial mainstream.

Electronic Signatures in Global and National Commerce Act (E-Sign Act)
Federal Deposit Insurance Corporation 9/30/2000
Notice of enactment of the E-Sign Act and requirement to obtain consumer consent before issuing electronic disclosures to consumers. Issued as FIL-72-2000 (11/2/00).

Electronic Funds Transfer

Report to Congress on the Disclosure of Point-of-Sale Debit Fees - PDF (www.federalreserve.gov) (PDF Help)
Federal Reserve Board
11/182004
Reports on the disclosure of fees that a depository institution may impose when a customer chooses to secure a point-of-sale debit transaction by providing a personal identification number. Discusses the prevalence of PIN fees; the degree of compliance by depository institutions with current disclosure requirements; the adequacy of existing disclosures and the likely benefits and costs of new requirements for disclosure statements; and the feasibility of real-time disclosure.

Funds Transfer through Fedwire - PDF (www.ffiec.gov) 60k (PDF Help)
Federal Reserve Board 1/2/2002
Operating Circular relating to transfer of Funds via Fedwire

Electronic Financial Services and Consumer Compliance - PDF (www.ffiec.gov) 64k (PDF Help)
Joint Agency Release 7/16/1998
FFIEC guidance on the application of federal consumer protection laws and regulations to electronic financial services. Guidance (7/16/98).

Electronic Funds Transfers (EFT99) - PDF (www.ots.treas.gov) 183k (PDF Help)
Office of Thrift Supervision 6/10/1998
Notification of the Debt Collection Improvement Act of 1996 (also referred to as "EFT99") which requires most federal payments be made by electronic funds transfer. Attaches letter from Treasury Department discussing its implementation process for EFT99. Issued as CEO Memo 84 (6/10/98).

FedLine Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council
The FedLine booklet addresses the risks, risk management practices, and mitigating controls necessary to establish and maintain an appropriate operating environment for the FedLine Funds Transfer (FT) application.

Equal Credit Opportunity

Electronic Financial Services and Consumer Compliance - PDF (www.ffiec.gov) 64k (PDF Help)
Joint Agency Release 7/16/1998
FFIEC guidance on the application of federal consumer protection laws and regulations to electronic financial services. Guidance (7/16/98).

Examination Procedures

Bank Secrecy Act/Anti-Money Laundering Examination Manual - PDF (www.ffiec.gov) (PDF Help)
FFIEC 7/27/2006
The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual reflects the ongoing commitment of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual’s 2005 release. The revisions also draw upon feedback from the banking industry and examination staff.

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (www.occ.gov)
CAN-SPAM Examination Worksheet (www.occ.gov)
Federal Financial Institutions Examination Council 3/30/2006
The Federal Trade Commission (FTC) issued regulations for implementing CAN-SPAM that became effective March 28, 2005. The FTC has also issued regulations that contain criteria pertaining to warning labels on sexually oriented materials, which became effective as of May 19, 2004. The Federal Financial Institutions Examination Council's Task Force on Consumer Compliance approved interagency consumer compliance examination procedures for both of these regulations. The OCC has posted its examination procedures

Telephone Consumer Protection Act and Junk Fax Prevention Act (www.occ.gov)
Telephone Consumer Protection Act and Junk Fax Prevention Worksheet (www.occ.gov)
Federal Financial Institutions Examination Council 3/30/2006
The Federal Communications Commission (FCC) has issued regulations implementing the modifications to the Telephone Consumer Protection Act of 1991 (TCPA). The impact of the FCC regulations is to prohibit commercial telemarketers, without an existing business relationship, from calling any phone number on the Do-Not-Call registry without being subject to financial penalties. The regulations also modify the FCC's unsolicited facsimile advertising requirements, which in turn were modified by the Junk Fax Prevention Act of 2005. The FCC regulation expanded coverage of the Do-Not-Call registry by including banks, insurance companies, credit unions, and savings associations. The corresponding FTC regulations do not apply to financial institutions but do apply to third-party telemarketers who call on behalf of a financial institution. The OCC has posted its examination procedures.

Instructions for Completing the Information Technology Examination Officer's Questionnaire
Federal Deposit Insurance Corporation
August 18, 2005
The FDIC has updated its risk-focused information technology (IT) examination procedures for FDIC-supervised financial institutions. The FDIC's new risk-focused IT examination procedures focus on the financial institution’s information security program and risk-management practices for securing information assets. The IT Examination Officer's Questionnaire must be completed and signed by an officer of the financial institution and returned to the FDIC examiner-in-charge prior to the on-site portion of the examination. The new examination procedures apply to all FDIC-supervised financial institutions, regardless of size, technical complexity or prior examination rating. IT examination findings and a single IT "composite" rating will be included in the consolidated Risk Management Report of Examination.

FFIEC Information Technology Examination Handbook New Guidance for Examiners, Financial Institutions and Technology Service Providers on Operations and Wholesale Payment Systems
Federal Financial Institutions Examination Council 11/10/2004
The outdated 1996 FFIEC Information Systems Examination Handbook has been officially retired. Chapters 1 through 23 of the 1996 Handbook were rescinded with the issuance of various booklets. Chapters 24 and 26 through 30 contained laws and guidance related to the topic of IT issued by various FFIEC agencies. Please refer to the resources section of the FFIEC Information Technology Examination Handbook booklets or the individual agencies' Web sites for this information.

With the issuance of the new FFIEC Information Technology Examination Handbook, several Supervisory Policies (SP) found in Chapter 25 of the 1996 Handbook have been rescinded. These are:

SP-2, Uniform Interagency Rating System for Data Processing Operations, October 1978;
SP-3, Joint Interagency Issuance on End-User Computing Risks, January 1988;
SP-4, Supervisory Policy on Large Scale Integrated Financial Software Systems (LSIS), November 1988;
SP-5, Interagency Policy on Contingency Planning for Financial Institutions, July 1989;
SP-6, Interagency Statement on EDP Service Contracts, January 1990;
SP-7, Interagency Policy on Strategic Information Systems Planning for Financial Institutions, March 1990;
SP-8, Interagency Document on EDP Risks in Mergers & Acquisitions, September 1991;
SP-9, Interagency Supervisory Statement on EFT Switches and Network Services, April 1993; and
SP-10, Control and Security Risks in Electronic Imaging Systems, December 1993.

The two remaining SPs - SP-1, Interagency EDP Examination, Scheduling, and Distribution Policy, September 1991 Revised, and SP-11, Enhanced Supervision Program (ESP) for Multidistrict Data Processing Servicers (MDPS), January 1995 - can be found under Resources in the Supervision of Technology Service Providers Booklet in the FFIEC Information Technology Examination Handbook.

Bank Secrecy Act Examination Procedures for Customer Identification Programs
Interagency 7/28/2004
The federal financial institutions regulatory agencies today issued Bank Secrecy Act (B.S.A.) procedures for examining each domestic and foreign banking organization’s customer identification program (CIP) which is required by section 326 of the USA PATRIOT Act (codified in the B.S.A. at 31 U.S.C. 5318(l)). The procedures are designed to help financial institutions fully implement the new CIP requirements and facilitate a consistent supervisory approach among the federal financial institutions regulatory agencies.

Retail Payment Systems (www.ffiec.gov)
Federal Financial Institutions Examination Council 3/31/2004
The FFIEC IT Examination Handbook (IT Handbook), "Retail Payment Systems Booklet" (booklet), provides guidance to examiners, financial institutions, and technology service providers (TSP) on identifying and controlling information technology (IT)-related risks associated with retail payment systems and related banking activities. Financial institutions, either in consortiums or acting independently, remain the core providers to businesses and consumers for most retail payment instruments and services.
This booklet replaces chapters 20, "Retail EFT (ATM and POS)" and 21, "Automated Clearing House (ACH)," in the 1996 FFIEC Information Systems Examination Handbook. The booklet presents retail payment systems examination guidance in three parts, followed by examination procedures, a glossary, and references.

The Call Report Modernization Initiative Web Site (www.ffiec.gov)
Federal Financial Institutions Examination Council 2/12/2004
The Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB), and the Office of the Comptroller of the Currency (OCC) are three of the Federal Financial Institutions Examination Council (FFIEC) Agencies. Under the guidance of the FFIEC Reports Task Force, these three agencies (Call Report Agencies) formed a steering committee to collectively manage the development and operation of the Central Data Repository (CDR). The CDR is a centralized resource for users and providers of the financial institution data. It is expected to facilitate a more-efficient regulatory reporting process by enhancing the methods used to collect, validate, process, and distribute Call Report data.

Statement of Application of Recent Corporate Governance Initiatives to Non-Public Banking Organizations - PDF (www.ffiec.gov) 310k (PDF Help)
Joint Agency Release 5/1/2003
Guidance on the effect of Sarbanes-Oxley on small-non public banking institutions

Internal and External Audits - PDF (www.ffiec.gov) 501k (PDF Help)
Office of the Comptroller of the Currency 4/1/2003
This booklet discusses the OCC's expectations for effective audit functions and will help examiners and bankers assess the quality and effectiveness of internal and external programs appropriate for a bank's size, complexity of activities, scope of operations and risk profile.

Information Technology Examination Procedures
Federal Deposit Insurance Corporation 10/9/2002
The Federal Deposit Insurance Corporation (FDIC) is launching a new program for assessing information technology (IT) risk at FDIC-supervised financial institutions. The program incorporates a new philosophy for categorizing institutions' use of technology and their consequential exposure to technology risk, along with updated and more risk-focused IT examination procedures.

External Audits - PDF (www.ffiec.gov) 103k (PDF Help)
Office of Thrift Supervision 7/1/2002
Guidance on the external audits of thrifts and savings associations

Interagency Policy Statement on the Internal Audit Function and its Outsourcing - PDF (www.ffiec.gov) 431k (PDF Help)
Joint Agency Release 5/17/2002
The policy statement sets forth key characteristics of the auditing function, discusses the outsourcing of audit functions and the effect of Sarbanes-Oxley on financial institutions.

Internal Audits - PDF (www.ffiec.gov) 59k (PDF Help)
Office of Thrift Supervision 2/1/2002
Guidance on the internal audits of thrifts and savings associations

Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information
Federal Deposit Insurance Corporation 8/4/2001
Assists examiners in assessing the level of compliance with the interagency Guidelines Establishing Standards for Safeguarding Customer Information, as mandated by section 501(b) of the Gramm-Leach-Bliley Act of 1999. Provides the purpose of the exam procedures and guidance in performing the exam procedures. Issued as 501(b) Exam Procedures (8/24/01).

Privacy Regulation Compliance - PDF (www.occ.gov) 247k (PDF Help)
Office of the Comptroller of the Currency 5/29/2001
OCC Staff Responses to Questions from February 13-14, 2001, Telephone Seminar on Privacy Regulation Compliance. Responses to Questions on Privacy Rule Compliance (5/29/01).

Privacy of Consumer Financial Information
Joint Agency Release 5/17/2001
Examination procedures to review supervised financial institutions for compliance with the agencies' final privacy regulation Issued at 65 FR 35162 (6/1/00)). By FDIC, FRB, OCC, OTS The procedures summarize the basic requirements of the regulation; identify examination objectives; establish procedures for examining for compliance with the regulation; and provide an examination checklist for use in verifying compliance. Examination Procedures for Privacy Rule (5/17/01).

Uniform Rating System for Information Technology (www.occ.gov)
Office of the Comptroller of the Currency 4/6/2001
Revises OCC policy in applying the URSIT to national banks. For IT exams of national banks that began after 4/1/01, the OCC will assign only the URSIT composite rating. Full URSIT ratings, composite and components, will continue to be assigned during OCC exams of other entities that provide technology services to national banks. Issued as OCC 2001-17 (4/6/01). (See, also, the FFIEC notice concerning the revised URSIT found at 64 FR 3109 (1/20/99).)

Privacy Preparedness Check-up - PDF (www.ots.treas.gov) (PDF Help)
Office of Thrift Supervision 9/18/2000
Questions to assist examiners in determining efforts of institutional management to achieve compliance with 12 CFR 573. Privacy Preparedness Check-Up (9/18/00).

Information Technology Examination Frequency (www.federalreserve.gov)
Federal Reserve Board 2/29/2000
Eliminates separate information technology exams and highlights that safety and soundness exams should include an assessment and evaluation of information technology risks and risk management. Also discusses exam frequency for service providers. Issued as SR 00-3 (2/29/00).

OCC Examination Handbook on Internet Banking - PDF (www.occ.gov) 226k (PDF Help)
Office of the Comptroller of the Currency 10/14/1999
National Bank examination procedures for Internet banking activities. Internet Banking Handbook (10/14/99).

Uniform Rating System for Information Technology
Joint Agency Release 1/20/1999
FFIEC revised the Uniform Interagency Rating System for Data Processing Operations. The revision changed the name to the Uniform Rating System for Information Technology and includes changes that have occurred in the data processing industry and in supervisory policies and procedures since the rating system was adopted in 1978. Issued as 64 FR 3109 (1/20/99).

Electronic Banking Examination Procedures
Federal Deposit Insurance Corporation Rev. 2/2002
Provides guidance for information systems specialists to evaluate electronic banking standards and associated risks. DOS Exam Modules (9/1/98)

Electronic Banking Examination Procedures Update - PDF (PDF Help)
Federal Deposit Insurance Corporation 7/10/1998
Announces revisions to safety and soundness electronic banking exam procedures; describes the procedural levels of exam review (information-only systems that may include non-sensitive electronic mail, information transfer systems and sensitive electronic mail, and transactional systems); and distributes pre-exam letter and requests list to be used in exams where electronic banking activities are in place. Issued as RD Memo 98-061 (7/10/98).

Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations (www.federalreserve.gov)
Federal Reserve Board 4/20/1998
Provides examiners guidance to assess IT risks when evaluating Community Banks and Large Complex Banking Organizations. (Supplements SR 97-25, Risk-Focused Framework for Supervision of Community Banks, and SR 97-24, Risk-Focused Framework for Large Complex Institutions.) Issued as SR 98-9 (4/20/98).

Security Risks Associated with the Internet
Federal Deposit Insurance Corporation 12/18/1997
Identifies risks to information system security associated with Internet use. Complements FDIC’s safety and soundness examination procedures for electronic banking activities. Issued as FIL-131-97 (12/18/97).

Information Technology - PDF (www.ots.treas.gov) 89k (PDF Help)
Office of Thrift Supervision 10/15/1997
Updates the OTS examination guidelines for the use of information technology and distributes revised Thrift Activities Regulatory Handbook Section 341, Information Technology (previously titled Electronic Data Processing Controls). Issued as RB 32-6 (10/15/97).

Examination Procedures for Retail Sale of Nondeposit Investment Products (www.federalreserve.gov)
Federal Reserve Board 5/26/1994
Examination Procedures for Retail Sale of Nondeposit Investment Products, Issued as SR 94-34 (5/26/94).

Nondeposit Investment Sales Examination Procedures - PDF 219k (PDF Help)
Office of the Comptroller of the Currency 2/24/1994
Interagency Statement on Retail Sales of Nondeposit Investment Products Encourages insured depository institutions that recommend or sell to retail customers nondeposit investment products, such as mutual funds and annuities, to ensure that customers for these products are clearly and fully informed of the nature and risks associated with these products. In particular, institutions should ensure that customers are fully informed that the products: (1) are not insured by the FDIC; (2) are not deposits or other obligations of the institution and are not guaranteed by the institution; and (3) are subject to investment risks, including possible loss of the principal invested. The OCC incorporated interagency statement in with its insert in the Comptroller’s Handbook for National Bankers. The insert provides national bank examiners with procedures for examining the nondeposit investment sales activities of national banks. Issued as OCC Bulletin 94-13 (2/24/94).

Business Continuity Planning (www.ffiec.gov)
Federal Financial Institutions Examination Council
This Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning booklet provides guidance and examination procedures to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services.

Information Security Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council
Member agencies of the Federal Financial Institutions Examination Council (FFIEC) defined such a process-based approach to security in the “Guidelines Establishing Standards to Safeguard Customer Information” to implement section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA). The guidelines afford the FFIEC agencies enforcement options if financial institutions do not establish and maintain adequate information security programs. This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operations, and serves as a supplement to agency GLBA 501(b) expectations. Financial institutions may outsource some or all of their information processing. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution. This booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook. It updates and rescinds the security-related guidance in that handbook, including Chapters 12-14.

Audit Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council
This FFIEC booklet describes the roles and responsibilities of the board of directors, management, and internal or external auditors; identifies effective practices for IT audit programs; and details examination objectives and procedures. Agency examiners will use the examination procedures in Appendix A to assess the adequacy of IT audit programs at both financial institutions and technology service providers. The examination guidance and procedures in this booklet focus on IT audit and supplement other, more general, internal and external audit guidance provided by the FFIEC agencies.

Supervision of Technology Service Providers (www.ffiec.gov)
Federal Financial Institutions Examination Council
The Supervision of Technology Service Providers booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook and rescinds chapters 2-7 of that handbook. This booklet primarily governs the supervision of technology service providers (TSPs) and briefly summarizes the Federal Financial Institutions Examination Council (FFIEC) member agencies’ (agencies) expectations of financial institutions in the oversight and management of their TSP relationships. This booklet outlines the agencies’ risk-based supervision approach, the supervisory process, and the examination ratings used for information technology (IT) service providers. In addition, this booklet discusses two special IT-related programs administered by the FFIEC agencies: the Multi-Regional Data Processing Servicer (MDPS) Program, geared towards examining large TSPs, and the Shared Application Software Review (SASR) Program aimed at reviewing mission-critical software packages.

Fair Credit Reporting

Fair Credit Reporting Regulations - PDF 299k (PDF Help)
Joint Agency Release 10/20/2000
Issued as 65 FR 63120

OCC Guidance to National Banks on Web Site Privacy Statements (www.occ.gov)
Office of the Comptroller of the Currency 5/4/1999
Provides national banks with examples of effective practices for informing consumers who access bank Internet sites about bank privacy policies for the collection and use of personal information. Issued as AL 99-06 (5/4/99).

Fair Credit Reporting Act (www.occ.gov)
Office of the Comptroller of the Currency 3/29/1999
Provides examples from a sampling of existing bank practices that represent effective approaches for complying with notice requirements under FCRA regarding sharing of customer information among affiliated companies. Issued as AL 99-3 (3/29/99). (See, also, joint NPR 65 FR 63120 (10/20/00).)

Identity Theft

FDIC Makes Available on Its Web Site New Government-Wide Id Theft Home Page
Federal Deposit Insurance Corporation April 23, 2007
The Federal Deposit Insurance Corporation (FDIC), a participant in the government-wide Identity Theft Task Force, provides a direct link to the new, centralized government Web site on identity theft.

The new site, http://www.idtheft.gov/ , will provide the Task Force's Strategic Plan. The Plan, which represents the input of 17 Federal agencies, including the FDIC, sets out recommendations to prevent identity theft, to assist identity theft victims in recovering from those crimes, and to prosecute and punish identity theft-related criminals.

Supervisory Policy on Identity Theft
Federal Deposit Insurance Corporation April 11, 2007
The Federal Deposit Insurance Corporation has issued the a "Supervisory Policy on Identity Theft." The policy describes the characteristics of identity theft. It also sets forth the FDIC's expectations that institutions under its supervision take steps to detect and prevent identity theft and mitigate its effects in order to protect consumers and help ensure institutions' safe and sound operations.

Frequently Asked Questions on Guidance Entitled Authentication in an Internet Banking Environment - PDF (www.ffiec.gov) (PDF Help)
FFIEC August 15, 2006
The Federal Financial Institutions Examination Council (FFIEC) member agencies today released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005.

The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues.

Don't Be an On-line Victim: How to Guard Against Internet Thieves and Electronic Scams
Federal Deposit Insurance Corporation January 26, 2006
The Federal Deposit Insurance Corporation (FDIC) has produced a multimedia presentation to help consumers protect themselves from identity theft. The presentation provides information on steps consumers should take to secure their computer and protect themselves from identity theft, as well as actions consumers should take if they become a victim of identity theft. Financial institutions are encouraged to make the link available to their customers from their websites.

Authentication in an Internet Banking Environment - PDF (www.ffiec.gov) 163k (PDF Help)
Federal Financial Institutions Examination Council (FFIEC) 10/12/2005
The Federal Financial Institutions Examination Council (FFIEC) has issued guidance, “Authentication in an Internet Banking Environment.” For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution’s progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.

You Can Fight Identity Theft
Interagency September 8, 2005
The federal bank, thrift and credit union agencies have announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as “phishing.” The term is a play on the word “fishing,” and that’s exactly what Internet thieves are doing – fishing for confidential financial information, such as account numbers and passwords. With enough information, a con artist can run up bills on another person’s credit card or, in the worst case, even steal that person’s identity.

Putting an End to Account-Hijacking Identity Theft Study Supplement
Federal Deposit Insurance Corporation 6/17/2005
This publication supplements the FDIC’s study Putting an End to Account-Hijacking Identity Theft published on December 14, 2004.

Putting an End to Account-Hijacking Identity Theft
Federal Deposit Insurance Corporation 12/14/2004
This study, published on December 14, 2004, presents the FDIC's findings on unauthorized access to financial institution accounts and how the financial industry and its regulators can mitigate these risks.

Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks- PDF 245k (PDF Help)
Federal Deposit Insurance Corporation 6/16/2004
This study presents the FDIC's findings with regards to the associated risks of offshore outsourcing (also known as "offshoring") by financial institutions from a safety and soundness perspective and with particular emphasis on the threats posed to customer privacy.

Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes
Federal Deposit Insurance Corporation 3/12/2004
The FDIC is alerting financial institutions to the increasing prevalence of e-mail and Internet-related fraudulent schemes targeting financial institution customers.

Guidance on Identity Theft and Pretext Calling
Federal Deposit Insurance Corporation 5/9/2001
Addresses how banks should protect customer information against identity theft. Also included is guidance on completing Suspicious Activity Reports to report offenses associated with identity theft and pretext calling, i.e., posing as a customer or someone authorized to have customer information in order to obtain confidential customer data. Guidance on Identity Theft and Pretext Calling (5/9/01).

How to Avoid Becoming A Victim of Identity Theft - PDF (www.occ.gov) 162k (PDF Help)
Office of the Comptroller of the Currency 4/30/2001
Trifold consumer brochure on avoiding identity theft.

Identity Theft and Pretext Calling - Word (www.occ.gov) 69k (Word Help)
Office of the Comptroller of the Currency 4/30/2001
Informs national banks about two areas of consumer bank, fraud identity theft and pretext calling, and advises them about measures to prevent and detect these types of fraud. Also supplements the interagency guidelines establishing standards to safeguard customer information by focusing on the protection of customer information specifically against identity theft and pretext calling. Issued as AL 2001-4

Identity Theft and Pretext Calling (www.federalreserve.gov)
Federal Reserve Board 4/26/2001
Addresses how state member banks and other banking organizations supervised by the FRB that provide products or services to the public or that maintain customer account information should protect customer information against identity theft. Also provides guidance on completing Suspicious Activity Reports that report offenses associated with identity theft and pretext calling. Issued as SR 01-11

Information Security

Information Security - PDF (www.ffiec.gov) (PDF Help)
FFIEC 7/27/06
The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet is one of twelve that, in total, comprise the FFIEC IT Examination Handbook. In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes.

The guidance updates the 2002 Information Security Booklet and addresses changes in technology, risk assessments, mitigation strategies, and regulatory guidance. The discussion of risk assessment has been expanded to reflect the maturation of that process related to information security. New or revised material is included regarding authentication, monitoring programs, and software trustworthiness. Many additional topics including malware, wireless, remote access, and trust services have also been incorporated or revised.

Interagency Guidelines Establishing Information Security Standards Small-Entity Compliance Guide
Joint Agency Release December 14, 2005
This Small-Entity Compliance Guide1 is intended to help financial institutions2 comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines).3 The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs.

Guidance on Implementing a Fraud Hotline
Federal Deposit Insurance Corporation
August 16, 2005
The Federal Deposit Insurance Corporation (FDIC) encourages financial institutions to consider implementing a fraud hotline to assist in their enterprise risk management, corporate governance and fraud protection efforts. The FDIC has established guidelines for institution management to consider when implementing a fraud hotline to ensure its overall effectiveness.

Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice- PDF (www.occ.gov) 550k (PDF Help)
Interagency 3/23/2005
The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The guidance interprets the agencies’ customer information security standards and states that financial institutions should implement a response program to address security breaches involving customer information.

Management Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council 7/15/2004
The Management Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' information technology activities. Sound IT management is critical to the performance and success of a financial institution. An institution capable of aligning its IT activities to support its business strategies adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall strategic planning and corporate governance efforts.

Outsourcing Technology Services Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council 7/15/2004
The Outsourcing Technology Services Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' outsourcing IT activities, including service provider selection, contract issues, and ongoing monitoring of the relationship. The booklet also includes guidance on the risks and risk-management issues unique to foreign service providers. Outsourcing of an activity does not relieve management and the board of directors of their responsibility to ensure the institution's data are processed in a secure environment and the integrity of the data is maintained. Thus, ongoing monitoring of the relationship is crucial to ensure key terms of service level agreements are followed, confidentiality of information is safeguarded, and the service provider maintains operational stability.

Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks- PDF 245k (PDF Help)
Federal Deposit Insurance Corporation 6/16/2004
This study presents the FDIC's findings with regards to the associated risks of offshore outsourcing (also known as "offshoring") by financial institutions from a safety and soundness perspective and with particular emphasis on the threats posed to customer privacy.

Guidance on Developing an Effective Computer Virus Protection Program
Federal Deposit Insurance Corporation 6/7/2004
The FDIC is issuing guidance to financial institutions about the importance of maintaining an effective computer virus protection program. The guidance provides information on the risks associated with computer viruses and how these risks can be mitigated. Financial institutions rely on the Internet to conduct business transactions and to communicate with customers, vendors and other business partners. Commonly used electronic mail applications are susceptible to computer viruses that may be embedded in e-mails and e-mail file attachments. Therefore, it is important that management understand the risks of computer viruses and take appropriate action to protect computer systems. This guidance is designed to complement the FFIEC Information Security IT Examination Handbook, issued December 2002, and to supplement Financial Institution Letter 68-99, "Risk Assessment Tools and Practices for Information System Security." Issued as FIL-62-2004

Development and Acquisition (www.ffiec.gov)
Federal Financial Institutions Examination Council 5/27/2004
The Development and Acquisition Booklet describes common project management activities and emphasizes the benefits of using well-structured project management techniques. The booklet details general project management standards, procedures, and controls and discusses various development, acquisition, and maintenance project risks. Action summaries highlight the primary considerations within each section.

Guidance on Developing an Information System Patch Management Program to Address Software Vulnerabilities
Federal Deposit Insurance Corporation 5/29/2003
The FDIC is providing guidance to financial institutions about the importance of maintaining an effective computer software patch management program. This guidance provides institutions with background information on the risks associated with software vulnerabilities and how they can be mitigated through an effective patch management program.

Information Technology Examination Procedures
Federal Deposit Insurance Corporation 10/9/2002
The Federal Deposit Insurance Corporation (FDIC) is launching a new program for assessing information technology (IT) risk at FDIC-supervised financial institutions. The program incorporates a new philosophy for categorizing institutions' use of technology and their consequential exposure to technology risk, along with updated and more risk-focused IT examination procedures.

Electronic Access - PDF (www.ffiec.gov) 58k (PDF Help)
Federal Reserve Board 6/1/2002
This operating circular sets forth the terms under which an institution may access certain services provided by a Reserve Bank, and under which an institution may sent certain data to or receive certain data from, a Reserve Bank, by means of electronic connection(s).

Funds Transfer through Fedwire - PDF (www.ffiec.gov) 60k (PDF Help)
Federal Reserve Board 1/2/2002
Operating Circular relating to transfer of Funds via Fedwire

Network Security Vulnerabilities - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 4/24/2001
Alerts banks to potential threats in electronic banking systems and reminds banks and service providers to identify and correct network security vulnerabilities. Recent National Infrastructure Protection Center (NIPC) advisories report an increase in unauthorized activities targeting e-commerce Web sites and identify some common and frequently utilized vulnerabilities in commercially available hardware and software. These vulnerabilities may allow unauthorized access to bank and service provider systems. Unauthorized intrusions threaten the confidentiality, integrity, and availability of bank information systems and customer information. Issued as Alert 2001-4 (4-24-01).

Comptroller’s Corporate Manual on The Internet and The National Bank Charter - PDF (www.occ.gov) 222k (PDF Help)
Office of the Comptroller of the Currency 1/1/2001
This booklet provides guidance on these processes and the special issues and considerations presented by proposals for these types of banks. The Internet and The National Bank Charter (January 2001).

Digital Signature Deployment Issues
Federal Deposit Insurance Corporation 10/30/2000
Describes four critical issues to consider when deploying digital signature technology. Bank Technology Bulletin (9/30/00).

Infrastructure Threats - Intrusion Risks (www.occ.gov)
Office of the Comptroller of the Currency 5/15/2000
Infrastructure Threats-Intrusion Risks - Message to Bankers and Examiners Guidance on preventing, detecting, and responding to intrusions into bank computer systems. Issued as OCC Bulletin 2000-14 (5/15/00).

Outsourcing of Information and Transaction Processing (www.federalreserve.gov)
Federal Reserve Board 2/29/2000
Provides supervisory expectations regarding the management of risks that may arise from outsourcing critical information and transaction processing activities by banking organizations. Issued as SR 00-4 (2/29/00).

Information Technology Examination Frequency (www.federalreserve.gov)
Federal Reserve Board 2/29/2000
Eliminates separate information technology exams and highlights that safety and soundness exams should include an assessment and evaluation of information technology risks and risk management. Also discusses exam frequency for service providers. Issued as SR 00-3 (2/29/00).

Internet Security: Distributed Denial of Service Attacks (www.occ.gov)
Office of the Comptroller of the Currency 2/11/2000
Recommends institutions review and update their capacity for responding to distributed denial of service attacks and other information security threats. These attacks can interrupt customer access to Internet web sites by flooding the targeted sites with more information than computers can handle. Issued as Alert 2000-1 (2/11/00).

Risk Assessment Tools and Practices for Information System Security
Federal Deposit Insurance Corporation 7/7/1999
Emphasizes components of a sound information security program: prevention, detection, and response. Supplements FIL-131-97, Security Risks Associated with the Internet (12/18/97), and complements FDIC’s safety and soundness electronic banking examination procedures. Issued as FIL-68-99 (7/7/99).

Certification Authority Systems (www.occ.gov)
Office of the Comptroller of the Currency 5/4/1999
Defines elements of certification authority systems, describes role of banks in emerging systems, and refers bankers and examiners to OCC Bulletin 98-38, "Technology Risk Management: PC Banking -- Guidance for Bankers and Examiners" and OCC Bulletin 98-3, "Technology Risk Management: Guidance for Bankers and Examiners" Issued as OCC Bulletin 99-20 (5/4/99).

Infrastructure Threats from Cyber-Terrorists (www.occ.gov)
Office of the Comptroller of the Currency 3/5/1999
Identifies threats and vulnerabilities created by cyber-terrorism to financial services industry. Issued as OCC Bulletin 99-9 (3/5/99).

Security Risks Associated with the Internet
Federal Deposit Insurance Corporation 12/18/1997
Identifies risks to information system security associated with Internet use. Complements FDIC’s safety and soundness examination procedures for electronic banking activities. Issued as FIL-131-97 (12/18/97).

Sound Practices Guidance for Information Security for Networks (www.federalreserve.gov)
Federal Reserve Board 12/4/1997
Guidance for protecting information and ensuring integrity, availability, and confidentiality. Issued as SR 97-32 (12/4/97).

Information Technology - PDF (www.ots.treas.gov) 89k (PDF Help)
Office of Thrift Supervision 10/15/1997
Updates the OTS examination guidelines for the use of information technology and distributes revised Thrift Activities Regulatory Handbook Section 341, Information Technology (previously titled Electronic Data Processing Controls). Issued as RB 32-6 (10/15/97).

Risk Management and Client/Server Systems
Joint Agency Release 10/8/1996
FFIEC statement to alert board of directors and senior management of financial institutions to risks associated with client/server computing, and encourages development and implementation of sound policies, practices, and procedures and controls over client/server computing environments. Issued as FIL-82-96 (10/8/96).

Social Security Numbers As Personal Identification Numbers - PDF (PDF Help)
Office of the Comptroller of the Currency 7/24/1991
Alerts banks and examiners to potential security breaches or fraud through unauthorized access to customer accounts. Issued as AL 91-4 (7/24/91).

Information Security Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council
Member agencies of the Federal Financial Institutions Examination Council (FFIEC) defined such a process-based approach to security in the “Guidelines Establishing Standards to Safeguard Customer Information” to implement section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA). The guidelines afford the FFIEC agencies enforcement options if financial institutions do not establish and maintain adequate information security programs. This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operations, and serves as a supplement to agency GLBA 501(b) expectations. Financial institutions may outsource some or all of their information processing. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution. This booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook. It updates and rescinds the security-related guidance in that handbook, including Chapters 12-14.

Information Sharing

USA PATRIOT Act - Section 314, Information Sharing
Federal Deposit Insurance Corporation 3/14/2002
Section 314(b) of the USA PATRIOT Act permits financial institutions, upon providing notice to Treasury, to share information with one another in order to better identify and report to the federal government concerning activities that may involve money laundering or terrorist activities. Financial institutions may share the information after providing notice to Treasury by filing the "Certification for Purposes of Section 314(b) of the USA PATRIOT Act and 31 CFR 103.110" (certification form). The rule is effective 3/04/02.On March 4, 2002, the Financial Crimes Enforcement Network (FinCEN) also issued a proposed rule that would add new sections to the Bank Secrecy Act regulations. The proposed Section 103.90 defines money laundering and terrorist activity. Comments must be received on or before April 3, 2002. Issued as FIL 24-2002 (3/14/02).

Information Sharing Pursuant to Section 314(b) of the USA Patriot Act (www.federalreserve.gov)
Federal Reserve Board 3/14/2002
This SR letter describes a new, immediately effective regulation concerning the sharing of information about terrorist financing and money laundering among financial institutions that was issued by the U.S. Department of the Treasury, through its Financial Crimes Enforcement Network (FinCEN). The FinCEN rule was issued pursuant to section 314(b) of the USA Patriot Act on 3/04/02. All banking organizations supervised by the Federal Reserve should obtain a copy of FinCEN's new regulation and take whatever steps are necessary to ensure that the appropriate staff learns about its provisions. Issued as SR-02-6 (3/14/02).

Information Sharing Pursuant to Section 314(b) of the USA Patriot Act - PDF (www.ffiec.gov) 114k (PDF Help)
Federal Reserve Board 3/14/2002
This SR letter describes a Treasury Regulation concerning the sharing of information about terrorist financing and money laundering among financial institutions.

Joint Interpretive Letter Concerning Sharing of Account Numbers for Use in Marketing - PDF (www.occ.gov) 100k (PDF Help)
Joint Agency Release 5/4/2001
Interagency response to a letter asking the Federal banking agencies to allow financial institutions to disclose unencrypted account numbers to a third party. (Certain information has been removed from the response to protect the privacy of the correspondent.)

Privacy Rule Handbook
Federal Deposit Insurance Corporation 1/25/2001
Explains basic requirements of 12 CFR Part 332 (the privacy rule described above); provides suggestions for implementing the rule to meet the July 1 deadline; suggests activities to monitor and maintain compliance; and describes in detail key terminology in the rule. (See, 65 FR 35162 (6/1/00) ) Privacy Rule Handbook (1/22/01).

Privacy Preparedness - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/22/2001
Helps prepare national banks for implementation of 12 CFR Part 40 . A questionnaire is attached to assist national banks in their preparation and in performing a self-assessment. Issued as AL 2001-2 (1/22/01). (See, also, Privacy Preparedness Questionnaire.)

Privacy Preparedness Questionnaire - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/22/2001
Helps prepare national banks for implementation of 12 CFR Part 40 . A questionnaire is attached to assist national banks in their preparation and in performing a self-assessment. Issued as AL 2001-2 (1/22/01). (See, also, Privacy Preparedness Questionnaire.)

Privacy Laws and Regulations - PDF (www.occ.gov) 76k (PDF Help)
Office of the Comptroller of the Currency 9/8/2000
Summarizes federal laws and regulations relating to disclosure of consumer financial information to help national banks and subsidiaries understand their statutory obligations. (See, 65 FR 35162 (6/1/00) Privacy Laws and Regulations (9/8/00).

Fair Credit Reporting Act (www.occ.gov)
Office of the Comptroller of the Currency 3/29/1999
Provides examples from a sampling of existing bank practices that represent effective approaches for complying with notice requirements under FCRA regarding sharing of customer information among affiliated companies. Issued as AL 99-3 (3/29/99). (See, also, joint NPR 65 FR 63120 (10/20/00).)

Internet Security

Authentication in an Internet Banking Environment - PDF (www.ffiec.gov) (PDF Help)
FFIEC 8/15/06
The Federal Financial Institutions Examination Council (FFIEC) member agencies today released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005.

The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues.

Information Security - PDF (www.ffiec.gov) (PDF Help)
FFIEC 7/27/06
The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet is one of twelve that, in total, comprise the FFIEC IT Examination Handbook. In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes.

The guidance updates the 2002 Information Security Booklet and addresses changes in technology, risk assessments, mitigation strategies, and regulatory guidance. The discussion of risk assessment has been expanded to reflect the maturation of that process related to information security. New or revised material is included regarding authentication, monitoring programs, and software trustworthiness. Many additional topics including malware, wireless, remote access, and trust services have also been incorporated or revised.

Bank Secrecy Act/Anti-Money Laundering Examination Manual - PDF (www.ffiec.gov) (PDF Help)
FFIEC 7/27/2006
The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual reflects the ongoing commitment of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual’s 2005 release. The revisions also draw upon feedback from the banking industry and examination staff.

Don't Be an On-line Victim: How to Guard Against Internet Thieves and Electronic Scams
Federal Deposit Insurance Corporation January 26, 2006
The Federal Deposit Insurance Corporation (FDIC) has produced a multimedia presentation to help consumers protect themselves from identity theft. The presentation provides information on steps consumers should take to secure their computer and protect themselves from identity theft, as well as actions consumers should take if they become a victim of identity theft. Financial institutions are encouraged to make the link available to their customers from their websites.

You Can Fight Identity Theft
Interagency September 8, 2005
The federal bank, thrift and credit union agencies have announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as “phishing.” The term is a play on the word “fishing,” and that’s exactly what Internet thieves are doing – fishing for confidential financial information, such as account numbers and passwords. With enough information, a con artist can run up bills on another person’s credit card or, in the worst case, even steal that person’s identity.

Voice over Internet Protocol (VoIP) Informational Supplement
Federal Deposit Insurance Corporation July 27, 2005
The FDIC is providing guidance to financial institutions on the security risks associated with voice over Internet protocol (VoIP). VoIP refers to the delivery of traditional telephone voice communications over the Internet.

Best Practices on Spyware Prevention and Detection
Federal Deposit Insurance Corporation July 22, 2005
The FDIC is issuing guidance to financial institutions recommending an effective spyware prevention and detection program based on an institution's risk profile. This guidance and the attached informational supplement discuss the risks associated with spyware from both a bank and consumer perspective and provide recommendations to mitigate these risks.

Guidance on How Financial InstitutionsCan Protect Against Pharming Attacks
Federal Deposit Insurance Corporation July 18, 2005
The Federal Deposit Insurance Corporation (FDIC) has prepared guidance for financial institutions on the risks posed by "pharming" and strategies that can help mitigate those risks. "Pharming" is the practice of redirecting Internet domain name requests to false Web sites in order to capture personal information, which may later be used to commit fraud and identity theft.

Threats from Fraudulent Bank Web Sites- Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 7/1/2005
The bulletin addresses procedures banks can implement to mitigate the risks to themselves and their customers by detecting and responding to Web-site spoofing. It also identifies the types of information banks can provide to law enforcement authorities to assist in investigating illegal activities. This bulletin expands on OCC Alert 2003-11, "Customer Identity Theft: E-mail-Related Fraud Threats," September 12, 2003.

Phish brochure (large file format) - PDF 3,268k (PDF Help)
Phish brochure (small file format) - PDF 224k (PDF Help)
Joint Agency release 9/8/2004
The federal bank, thrift and credit union agencies today announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as "phishing."

The term is a play on the word "fishing," and that's exactly what Internet thieves are doing - fishing for confidential financial information, such as account numbers and passwords. With enough information, a con artist can run up bills on another person's credit card or, in the worst case, even steal that person's identity.

Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes
Federal Deposit Insurance Corporation 3/12/2004
The FDIC is alerting financial institutions to the increasing prevalence of e-mail and Internet-related fraudulent schemes targeting financial institution customers.

Weblinking
Joint Agency Release 4/23/2003
Federal bank and credit union regulatory agencies have issued guidance to assist financial institutions in identifying risks posed by the use of weblinks on their websites, and to suggest a variety of risk-management techniques that institutions should consider using to mitigate those risks. This guidance applies to institutions that develop and maintain their own websites, as well as institutions that use third-party service providers for this

ACH Transactions Involving the Internet: Guidance and Examination Procedures - Word (www.occ.gov) 102k (Word Help)
Office of the Comptroller of the Currency 1/14/2002
Highlights the risks associated with automated clearing house (ACH) transactions that involve the use of the Internet and proves guidance for managing those risks. This bulletin incorporates and replaces OCC Advisory Letter 2001-3 (Internet-Initiated ACH Debits/ACH Risks (1/29/01)) (described below). Issued as OCC Bulletin 2002-2 (1/14/02).

Authentication In An Electronic Banking Environment
Joint Agency Release 7/30/2001
Reviews the risks and risk management controls of a number of existing and emerging authentication tools necessary to initially verify the identity of new customers and authenticate existing customers that access electronic banking services. This guidance applies to both retail and commercial customers and is intended to be technology neutral. Financial institutions may use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a third party service provider. Issued as FFIEC Authentication Guidance by FDIC, FRB, OTS and OCC.

Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information - PDF (www.occ.gov) 131k (PDF Help)
Office of the Comptroller of the Currency 7/18/2001
Provides risk-based procedures that allow examiners to tailor the exam scope according to the size and complexity of the bank, the nature and scope of its activities, and the level of risk assumed by the institution. Typically, OCC examiners will use these procedures in the OCC’s largest banks, which have complex IT environments, significant information security concerns, or where less experienced examiners need more detailed guidance. Issued as Examination Procedures (7/18/01).

Weblinking - Word (www.occ.gov) 80k (Word Help)
Office of the Comptroller of the Currency 7/3/2001
Highlights risks involved in weblinking relationships with third parties and provides risk management guidance to banks’ on weblinking relationships with affiliated and unaffiliated third parties. Issued as OCC Bulletin 2001-31(7/3/01).

Network Security Vulnerabilities - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 4/24/2001
Alerts banks to potential threats in electronic banking systems and reminds banks and service providers to identify and correct network security vulnerabilities. Recent National Infrastructure Protection Center (NIPC) advisories report an increase in unauthorized activities targeting e-commerce Web sites and identify some common and frequently utilized vulnerabilities in commercially available hardware and software. These vulnerabilities may allow unauthorized access to bank and service provider systems. Unauthorized intrusions threaten the confidentiality, integrity, and availability of bank information systems and customer information. Issued as Alert 2001-4 (4-24-01).

Bank-Provided Account Aggregation Services - Word (www.occ.gov) 55k (Word Help)
Office of the Comptroller of the Currency 2/28/2001
Discusses the risks of bank-provided account aggregation services, and suggests control mechanisms banks should consider when they offer aggregation services. Issued as OCC Bulletin 2001-12 (3/2/01)

Internet-Initiated ACH Debits/ACH Risks - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/29/2001
Alerts banks to specific Automated Clearing House (ACH) risks and emphasizes the importance of sound ACH risk management practices. Banks that transmit certain Internet-initiated ACH debits will be deemed to warrant that their customers who originate the entries use security measures that meet minimum standards of the National Automated Clearing House Association. Issued as AL 2001-3 (1/29/01).

Protecting Internet Domain Names - PDF (PDF Help)
Federal Deposit Insurance Corporation 11/9/2000
Alerts senior bank management to potential domain name-related problems and highlights action that may help to avoid or resolve such problems. Bank Technology Bulletin (11/9/00).

Tips for Safe Banking Over the Internet
Federal Deposit Insurance Corporation 9/21/2000
Tips for Safe Banking Over the Internet - An FDIC Brochure for Bank Customers. This brochure offers information and tips to help bank customers who are thinking about or already using online banking systems. It describes how to:
  • Confirm that an online bank is legitimate and that your deposits are insured
  • Keep your personal information private and secure
  • Understand your rights as a consumer
  • Learn where to go for more assistance from banking regulators
Protecting Internet Addresses of National Banks (www.occ.gov)
Office of the Comptroller of the Currency 7/19/2000
Highlights need for banks to carefully select and protect Internet addresses. Issued as Alert 2000-9 (7/19/00).

Internet Security: Distributed Denial of Service Attacks (www.occ.gov)
Office of the Comptroller of the Currency 2/11/2000
Recommends institutions review and update their capacity for responding to distributed denial of service attacks and other information security threats. These attacks can interrupt customer access to Internet web sites by flooding the targeted sites with more information than computers can handle. Issued as Alert 2000-1 (2/11/00).

OCC Examination Handbook on Internet Banking - PDF (www.occ.gov) 226k (PDF Help)
Office of the Comptroller of the Currency 10/14/1999
National Bank examination procedures for Internet banking activities. Internet Banking Handbook (10/14/99).

Certification Authority Systems (www.occ.gov)
Office of the Comptroller of the Currency 5/4/1999
Defines elements of certification authority systems, describes role of banks in emerging systems, and refers bankers and examiners to OCC Bulletin 98-38, "Technology Risk Management: PC Banking -- Guidance for Bankers and Examiners" and OCC Bulletin 98-3, "Technology Risk Management: Guidance for Bankers and Examiners" Issued as OCC Bulletin 99-20 (5/4/99).

Infrastructure Threats from Cyber-Terrorists (www.occ.gov)
Office of the Comptroller of the Currency 3/5/1999
Identifies threats and vulnerabilities created by cyber-terrorism to financial services industry. Issued as OCC Bulletin 99-9 (3/5/99).

Security Risks Associated with the Internet
Federal Deposit Insurance Corporation 12/18/1997
Identifies risks to information system security associated with Internet use. Complements FDIC’s safety and soundness examination procedures for electronic banking activities. Issued as FIL-131-97 (12/18/97).

Money Laundering

Bank Secrecy Act/Anti-Money Laundering Examination Manual - PDF (www.ffiec.gov) (PDF Help)
FFIEC 7/27/2006
The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual reflects the ongoing commitment of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual’s 2005 release. The revisions also draw upon feedback from the banking industry and examination staff.

Bank Secrecy Act/Anti-Money Laundering Examination Infobase (www.ffiec.gov)
FFIEC 7/28/2005
The Federal Financial Institutions Examination Council (FFIEC) today announced the release of its Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Examination InfoBase (InfoBase), an automated tool for examiners and industry that provides information on the FFIEC BSA/AML Examination Manual (Manual) released on June 30, 2005. This tool will assist examiners and industry to more easily navigate and facilitate use of the Manual. The InfoBase features the entire Manual, including background materials, examination procedures, and appendices, as well as frequently asked questions and links to other resources that may be helpful in understanding BSA/AML requirements and examination expectations.

Bank Secrecy Act/Anti-Money Laundering Examination Manual - PDF (www.ffiec.gov) (PDF Help)
FFIEC 6/23/2005
The FFIEC BSA/AML Examination Manual was developed by the Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS) (collectively referred to as the federal banking agencies) in collaboration with the Financial Crimes Enforcement Network (FinCEN), the delegated administrator of the BSA. In addition, through the Conference of State Bank Supervisors, the state banking agencies played a consultative role. The Office of Foreign Assets Control (OFAC) collaborated on the development of core overview and examination procedures addressing compliance with regulations enforced by OFAC.

The FFIEC BSA/AML Examination Manual emphasizes a banking organization's responsibility to establish and implement risk-based policies, procedures, and processes to comply with the BSA and safeguard its operations from money laundering and terrorist financing. The BSA/AML examination procedures will guide examiners through an evaluation of a banking organization's BSA/AML compliance program regardless of its size or business lines. The majority of the FFIEC BSA/AML Examination Manual provides narrative guidance and resource materials rather than specific examination procedures. This includes an overview of the BSA requirements and the federal banking agencies' supervisory expectations in this area.

Remittances: A Gateway to Banking for Unbanked Immigrants - PDF (www.occ.gov) (PDF Help)
Office of the Comptroller of the Currency 9/15/2004
This edition of Community Developments Insights addresses the role of banks in providing money transfer services. and describes how banks can use these products to attract unbanked immigrants into the banking system. It also addresses some of the key risks and regulatory issues presented by bank involvement in these products. This publication also addresses a number of legal, compliance, and operational considerations that financial institutions should be aware of when offering remittance products. These include money laundering, customer identification, and third party provider risk.

FinCEN 314(a) Distribution List to be Compiled from Contact Information on the Call Report (www.occ.gov)
Office of the Comptroller of the Currency 3/4/2004
Pursuant to section 314(a) of the USA PATRIOT Act, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) developed and implemented an electronic system for law enforcement to request information about suspected terrorists and money launderers from financial institutions. The purpose of this alert is to inform national banks and federal branches of the date that the conversion to the automated Call Report distribution list will occur beginning on March 16, 2004.

Currency Transaction Report (www.fincen.gov)
FinCEN
CTR Form (replaces Form 4789 effective December 1, 2003): FinCEN Form 104 - Currency Transaction Report (form and instructions) (IRS Form 4789 will continue to be accepted until August 31, 2004. FinCEN Form 104 is a fill-in form using Adobe Reader 5.0 or higher software.)

Form TD F 90-22.53 Designation of Exempt Person (DEP) - PDF (www.fincen.gov) 178k (PDF Help)
FinCEN
Form TD F 90-22.53 Designation of Exempt Person (DEP) (Fill-in Version) The "Designation of Exempt Person" Form is designed to help depository institutions use FinCEN's reformed CTR Exemption rules to reduce significantly the burden of large currency transaction reporting. Banks, thrifts, and credit unions can use the rules and the Form to eliminate the reporting obligation for transactions by most business customers with routine needs for currency.

Magnetic Media Filing of Currency Transaction Reports (CTRs) and Designation of Exempt Person Forms - PDF (www.fincen.gov) 672k (PDF Help)
FinCEN
FinCEN is releasing the latest version of the technical standards for both the Currency Transaction Report and the Designation of Exempt Person form to be used by financial institutions filing by means of magnetic media. These technical standards were developed by the Detroit Computing Center, to which all magnetic media filings are sent, and are intended to be used by magnetic media filers beginning immediately. In addition to updates as a result of the Designation of Exempt Person form, there are also updates to the country code lists, the list of most commonly asked questions, and other sections.

New TD F 90-22.47 (SAR for Depository Institutions) - PDF (www.fincen.gov) 180k (PDF Help)
FinCEN
New TD F 90-22.47 (SAR for Depository Institutions) For use beginning July 1, 2003. Previous versions of SAR form will not be accepted after December 31, 2003. (SAR Fill-in Form) (SAR Preparation Guidelines - Word97, PDF) (SAR Software Version 5.1 - This new version of the SAR software corrects errors experienced by Windows XP users.) (SAR Magnetic Media Specifications) All financial institutions operating in the United States, including insured banks, savings associations, savings association service corporations, credit unions, bank holding companies, non-bank subsidiaries of bank holding companies, Edge and Agreement corporations, and U.S. branches and agencies of foreign banks are required to make this report following the discovery of: insider abuse involving any amount, violations aggregating $5,000 or more where a suspect can be identified, violations aggregating $25,000 or more regardless of a potential suspect, or transactions aggregating $5,000 or more that involve potential money laundering or violations of the Bank Secrecy Act. Full instructions accompany this download.

Section 312 of the U.S. Patriot's Act - Due Diligence for Correspondent and Private Banking Accounts - PDF (www.ffiec.gov) 114k (PDF Help)
Federal Reserve Board 7/23/2002
FRB SR-02-18 offering guidance under Treasury Interim Final Rule

Information Sharing Pursuant to Section 314(b) of the USA Patriot Act - PDF (www.ffiec.gov) 114k (PDF Help)
Federal Reserve Board 3/14/2002
This SR letter describes a Treasury Regulation concerning the sharing of information about terrorist financing and money laundering among financial institutions.

Anti-Money Laundering Measures
Federal Deposit Insurance Corporation 12/28/2001
Provides the Department of the Treasury Interim Guidance on how to comply with the requirements of sections 313 and 319(b) of the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 (Pub. L. No. 107-56 (10-26-01)). Issued as FIL 110-2001 (12/28/01).

The USA PATRIOT Act and the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 (www.federalreserve.gov)
Federal Reserve Board 12/19/2001
Provides a brief description of the provisions of the USA PATRIOT Act that should receive immediate attention by U.S. banking organizations and Federal Reserve supervisors. The Act generally applies to insured depository institutions as well as to the U.S. branches and agencies of foreign banks. It does not immediately impose any new filing or reporting obligations for banking organizations, but requires certain additional due diligence and recordkeeping practices. This SR letter describes new rules that are required to be issued or may be issued by Treasury. While this SR letter does not offer interpretive guidance, it does identify some important areas where additional guidance by Treasury will be required. Issued as SR 01-29 (11/26/01).

USA PATRIOT Act Anti-Money-Laundering Provisions - Word (www.occ.gov) 53k (Word Help)
Office of the Comptroller of the Currency 12/19/2001
Provides a discussion on key provisions of the USA PATRIOT Act. The Act establishes a variety of new and enhanced ways of combating international terrorism. The provisions that affect national banks (and other financial institutions) most directly are contained in Title III, which primarily amends the Bank Secrecy Act (BSA) to provide the Secretary of the Treasury and other Federal departments and agencies with enhanced authority to identify, deter, and punish international money laundering. Issued as AL 2001-12 (12/19/01).

Nondeposit Investment Products

Nondeposit Investment Sales Appendices A-C - PDF (www.ots.treas.gov) 87k (PDF Help)
Office of Thrift Supervision 4/25/1996
Assists regulators when evaluating the effect of a service corporation’s securities brokerage program on the parent thrift. The risk assessment issues discussed generally apply to other third party arrangements involving on-premises sales of investment products. Issued as RB 32-4 (4/25/96)

Joint Interpretations of the Interagency Statement on Retail Sales of Nondeposit Investment Products (www.occ.gov)
Joint Agency Release 9/12/1995
Joint Interpretation of Policy Statement

Examination Procedures for Retail Sale of Nondeposit Investment Products (www.federalreserve.gov)
Federal Reserve Board 5/26/1994
Examination Procedures for Retail Sale of Nondeposit Investment Products, Issued as SR 94-34 (5/26/94).

Nondeposit Investment Sales Examination Procedures - PDF (www.occ.gov) 130k (PDF Help)
Office of the Comptroller of the Currency 2/24/1994
Interagency Statement on Retail Sales of Nondeposit Investment Products Encourages insured depository institutions that recommend or sell to retail customers nondeposit investment products, such as mutual funds and annuities, to ensure that customers for these products are clearly and fully informed of the nature and risks associated with these products. In particular, institutions should ensure that customers are fully informed that the products: (1) are not insured by the FDIC; (2) are not deposits or other obligations of the institution and are not guaranteed by the institution; and (3) are subject to investment risks, including possible loss of the principal invested. The OCC incorporated interagency statement in with its insert in the Comptroller’s Handbook for National Bankers. The insert provides national bank examiners with procedures for examining the nondeposit investment sales activities of national banks. Issued as OCC Bulletin 94-13 (2/24/94).

Interagency Statement on Retail Sales of Nondeposit Investment Products
Joint Agency Release 2/17/1994
Encourages insured depository institutions that recommend or sell to retail customers nondeposit nvestment products, such as mutual funds and annuities, to ensure that customers for these products are clearly and fully informed of the nature and risks associated with these products. In particular, institutions should ensure that customers are fully informed that the products: (1) are not insured by the FDIC; (2) are not deposits or other obligations of the institution and are not guaranteed by the institution; and (3) are subject to investment risks, including possible loss of the principal invested. Issued as Policy Statement (2/15/94).

Pretext Calling

Guidance on Identity Theft and Pretext Calling
Federal Deposit Insurance Corporation 5/9/2001
Addresses how banks should protect customer information against identity theft. Also included is guidance on completing Suspicious Activity Reports to report offenses associated with identity theft and pretext calling, i.e., posing as a customer or someone authorized to have customer information in order to obtain confidential customer data. Guidance on Identity Theft and Pretext Calling (5/9/01).

Identity Theft and Pretext Calling - Word (www.occ.gov) 69k (Word Help)
Office of the Comptroller of the Currency 4/30/2001
Informs national banks about two areas of consumer bank, fraud identity theft and pretext calling, and advises them about measures to prevent and detect these types of fraud. Also supplements the interagency guidelines establishing standards to safeguard customer information by focusing on the protection of customer information specifically against identity theft and pretext calling. Issued as AL 2001-4

Identity Theft and Pretext Calling (www.federalreserve.gov)
Federal Reserve Board 4/26/2001
Addresses how state member banks and other banking organizations supervised by the FRB that provide products or services to the public or that maintain customer account information should protect customer information against identity theft. Also provides guidance on completing Suspicious Activity Reports that report offenses associated with identity theft and pretext calling. Issued as SR 01-11

Privacy and Accuracy of Personal Customer Information - PDF (www.ots.treas.gov) 690k (PDF Help)
Office of Thrift Supervision 11/3/1998
Recommends that savings associations notify customers of how they will use certain customer information. Issued as CEO Memo 97 (11/3/98).

Pretext Phone Calling
Joint Agency Release 9/2/1998
Alerts financial institutions to practice of pretext phone calling, which is a means of gaining access to customers' confidential account information by organizations and individuals who call themselves account information brokers. (Jointly prepared by FDIC, OCC, OTS, FRB, FBI, Secret Service, IRS, and Postal Inspection Service.) Issued as FIL-98-98 (9/2/98). Also issued by OCC as NR 98-86 (8/20/98) and by OTS as CEO Memo 97 (11/3/98)

Privacy

You Can Fight Identity Theft
Interagency September 8, 2005
The federal bank, thrift and credit union agencies have announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as “phishing.” The term is a play on the word “fishing,” and that’s exactly what Internet thieves are doing – fishing for confidential financial information, such as account numbers and passwords. With enough information, a con artist can run up bills on another person’s credit card or, in the worst case, even steal that person’s identity.

Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice- PDF (www.occ.gov) 550k (PDF Help)
Interagency 3/23/2005
The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The guidance interprets the agencies’ customer information security standards and states that financial institutions should implement a response program to address security breaches involving customer information.

Guidance on Instant Messaging
Federal Deposit Insurance Corporation 7/21/2004
This guidance identifies risks associated with public Internet instant messaging (IM)1 and how they can be mitigated through an effective management program. Public IM may be used by employees both officially and unofficially in work environments. The use of public IM may expose financial institutions to security, privacy, and legal liability risks because of the ability to download copyrighted files. Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communication. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations.

Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks- PDF 245k (PDF Help)
Federal Deposit Insurance Corporation 6/16/2004
This study presents the FDIC's findings with regards to the associated risks of offshore outsourcing (also known as "offshoring") by financial institutions from a safety and soundness perspective and with particular emphasis on the threats posed to customer privacy.

Privacy Choices for Your Personal Financial Information
Joint Agency Release 2/6/2002
Guidance to help consumers make informed choices about whether to allow their personal financial information to be shared. This information is intended to guide customers through the choices they face as a result of the privacy provisions of the Gramm-Leach-Bliley Act of 1999. Also issued by OCC, OTS and FRB.

Guidance on Financial Privacy - PDF (www.ots.treas.gov) 106k (PDF Help)
Office of Thrift Supervision 12/12/2001
Provides a series of frequently asked questions covering various aspects of the federal banking agencies identical privacy rules and provides media contacts for each of the banking agencies. Issued as OTS PR 01-86 (12/12/01)

Guidance on Financial Privacy - PDF (www.federalreserve.gov) 75k (PDF Help)
Federal Reserve Board 12/12/2001
Provides a series of frequently asked questions covering various aspects of the federal banking agencies identical privacy rules and provides media contacts for each of the banking agencies.

Guidance on Financial Privacy - Press Release
Joint Agency Release 12/12/2001
Provides a series of frequently asked questions covering various aspects of the federal banking agencies identical privacy rules and provides media contacts for each of the banking agencies. Issued as FDIC-PR-93-2001 (12/12/01).

Guidance on Financial Privacy - PDF (www.occ.gov) 323k (PDF Help)
Office of the Comptroller of the Currency 12/12/2001
Provides a series of frequently asked questions covering various aspects of the federal banking agencies identical privacy rules and provides media contacts for each of the banking agencies. Issued as NR 2001-101 (12/12/01). (FAQs for Privacy Regulation are part III of the OCC’s Small Bank Compliance Guide )

Privacy Rule: Small Bank Compliance Guide - PDF (www.occ.gov) 323k (PDF Help)
Office of the Comptroller of the Currency 12/1/2001
Provides an overview of a bank’s basic obligations under the privacy rule, a summary of the rule, a privacy preparedness checklist, and questions and answers.

Frequently Asked Questions for the Privacy Regulation
Federal Deposit Insurance Corporation 12/1/2001
Provides a series of frequently asked questions covering various aspects of the federal banking agencies identical privacy rules and provides media contacts for each of the banking agencies. Issued as FDIC-PR-93-2001 (12/12/01).

Guidelines for Safeguarding Customer Information - PDF (www.ffiec.gov) 651k (PDF Help)
Joint Agency Release 5/31/2001
The Guidelines implement Section 501 of the Gramm-Leach-Bliley Act requiring fedral banking agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer records and information.

Privacy Regulation Compliance - PDF (www.occ.gov) 651k (PDF Help)
Office of the Comptroller of the Currency 5/29/2001
OCC Staff Responses to Questions from February 13-14, 2001, Telephone Seminar on Privacy Regulation Compliance. Responses to Questions on Privacy Rule Compliance (5/29/01).

Privacy of Consumer Financial Information - PDF 143k (PDF Help)
Joint Agency Release 5/17/2001
Examination procedures to review supervised financial institutions for compliance with the agencies' final privacy regulation Issued at 65 FR 35162 (6/1/00)). By FDIC, FRB, OCC, OTS The procedures summarize the basic requirements of the regulation; identify examination objectives; establish procedures for examining for compliance with the regulation; and provide an examination checklist for use in verifying compliance. Examination Procedures for Privacy Rule (5/17/01).

Joint Interpretive Letter Concerning Sharing of Account Numbers for Use in Marketing - PDF (www.occ.gov) 100k (PDF Help)
Joint Agency Release 5/4/2001
Interagency response to a letter asking the Federal banking agencies to allow financial institutions to disclose unencrypted account numbers to a third party. (Certain information has been removed from the response to protect the privacy of the correspondent.)

Privacy Rule Handbook
Federal Deposit Insurance Corporation 1/25/2001
Explains basic requirements of 12 CFR Part 332 (the privacy rule described above); provides suggestions for implementing the rule to meet the July 1 deadline; suggests activities to monitor and maintain compliance; and describes in detail key terminology in the rule. (See, 65 FR 35162 (6/1/00) ) Privacy Rule Handbook (1/22/01).

Privacy Preparedness Questionnaire - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/22/2001
Helps prepare national banks for implementation of 12 CFR Part 40 . A questionnaire is attached to assist national banks in their preparation and in performing a self-assessment. Issued as AL 2001-2 (1/22/01). (See, also, Privacy Preparedness Questionnaire.)

Privacy Preparedness - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/22/2001
Helps prepare national banks for implementation of 12 CFR Part 40 . A questionnaire is attached to assist national banks in their preparation and in performing a self-assessment. Issued as AL 2001-2 (1/22/01). (See, also, Privacy Preparedness Questionnaire.)

Privacy Preparedness Check-up - PDF (www.ots.treas.gov) (PDF Help)
Office of Thrift Supervision 9/18/2000
Questions to assist examiners in determining efforts of institutional management to achieve compliance with 12 CFR 573. Privacy Preparedness Check-Up (9/18/00).

Privacy Laws and Regulations - PDF (www.occ.gov) 76k (PDF Help)
Office of the Comptroller of the Currency 9/8/2000
Summarizes federal laws and regulations relating to disclosure of consumer financial information to help national banks and subsidiaries understand their statutory obligations. (See, 65 FR 35162 (6/1/00) Privacy Laws and Regulations (9/8/00).

Financial Institution Web Site Privacy Survey
Federal Deposit Insurance Corporation 12/27/1999
Summarizes the Interagency Financial Institution Web Site Privacy Survey Report and encourages financial institutions to establish and follow a privacy policy that addresses fair information practice principles. Issued as FIL-113-99 (12/27/99).

Financial Institution Web Site Privacy Survey Report - PDF (www.ots.treas.gov) 231k (PDF Help)
Joint Agency Release 11/9/1999
Results of interagency survey of financial institution web sites to determine the extent financial institution web sites posts privacy policies and information practice statements. Report (11/9/99).

Electronic Commerce and Consumer Privacy
Federal Deposit Insurance Corporation 7/17/1999
Encourages financial institutions to be aware of consumer online privacy issues, and take voluntary, specific actions to address them. Online Privacy of Consumer Personal Information (8/17/98).

OCC Guidance to National Banks on Web Site Privacy Statements (www.occ.gov)
Office of the Comptroller of the Currency 5/4/1999
Provides national banks with examples of effective practices for informing consumers who access bank Internet sites about bank privacy policies for the collection and use of personal information. Issued as AL 99-06 (5/4/99).

Privacy and Accuracy of Personal Customer Information - PDF (www.ots.treas.gov) 706k (PDF Help)
Office of Thrift Supervision 11/3/1998
Recommends that savings associations notify customers of how they will use certain customer information. Issued as CEO Memo 97 (11/3/98).

Risk Management

Authentication in an Internet Banking Environment - PDF (www.ffiec.gov) (PDF Help)
FFIEC 8/15/06
The Federal Financial Institutions Examination Council (FFIEC) member agencies today released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005.

The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues.

Guidance on Implementing a Fraud Hotline
Federal Deposit Insurance Corporation August 16, 2005
The Federal Deposit Insurance Corporation (FDIC) encourages financial institutions to consider implementing a fraud hotline to assist in their enterprise risk management, corporate governance and fraud protection efforts. The FDIC has established guidelines for institution management to consider when implementing a fraud hotline to ensure its overall effectiveness.

Instructions for Completing the Information Technology Examination Officer's Questionnaire
Federal Deposit Insurance Corporation August 18, 2005
The FDIC has updated its risk-focused information technology (IT) examination procedures for FDIC-supervised financial institutions. The FDIC's new risk-focused IT examination procedures focus on the financial institution’s information security program and risk-management practices for securing information assets. The IT Examination Officer's Questionnaire must be completed and signed by an officer of the financial institution and returned to the FDIC examiner-in-charge prior to the on-site portion of the examination. The new examination procedures apply to all FDIC-supervised financial institutions, regardless of size, technical complexity or prior examination rating. IT examination findings and a single IT "composite" rating will be included in the consolidated Risk Management Report of Examination.

NACHA Rule Changes (www.occ.gov)
Office of the Comptroller of the Currency 12/20/2004
The purpose of this OCC bulletin is to advise national banks and examiners of three amendments to National Automated Clearing House Association (NACHA) Operating Rules that became effective in 2004. As part of an effective risk management program, banks should implement procedures to ensure compliance with these and all other NACHA Operating Rules and related Office of the Comptroller of the Currency (OCC) and Federal Financial Institutions Examination Council (FFIEC) guidance. This bulletin supplements guidance on Automated Clearing House (ACH) activities outlined in the FFIEC IT Handbook, "Retail Payment Systems," dated March 2004.

FFIEC Guidance on the use of Free and Open Source Software - PDF (www.federalreserve.gov) 45k (PDF Help)
Federal Financial Institutions Examination Council 12/6/2004
The federal banking, thrift, and credit union regulatory agencies have published guidance for examiners, financial institutions, and technology service providers on the acquisition and use of free and open source software (FOSS). FOSS refers to software that users are permitted to run, study, modify, and redistribute without paying a licensing fee. Some of the most well-known examples of FOSS are the Linux operating system, Apache web server, and mySQL database.

Computer Software Due Diligence Guidance on Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory Compliance
Federal Deposit Insurance Corporation 11/16/2004
The FDIC is issuing guidance to financial institutions on performing proper due diligence when selecting computer software or a service provider. This due diligence includes making sure that the software or service provider is compliant with applicable laws, including the Bank Secrecy Act, which includes the USA PATRIOT Act.

Remittances: A Gateway to Banking for Unbanked Immigrants - PDF (www.occ.gov) (PDF Help)
Office of the Comptroller of the Currency 9/15/2004
This edition of Community Developments Insights addresses the role of banks in providing money transfer services. and describes how banks can use these products to attract unbanked immigrants into the banking system. It also addresses some of the key risks and regulatory issues presented by bank involvement in these products. This publication also addresses a number of legal, compliance, and operational considerations that financial institutions should be aware of when offering remittance products. These include money laundering, customer identification, and third party provider risk.

Wholesale Payment Systems Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council 8/26/2004
The Wholesale Payment Systems Booklet provides guidance on the risks and risk management practices applicable to financial institutions' wholesale payment systems activities, including interbank and intrabank payment, messaging, and securities settlement systems. Wholesale payment system activities require careful planning and coordination between IT and business units, and their operation must include strong internal controls and ongoing monitoring. The Wholesale Payment Systems Booklet includes examination procedures to evaluate the quality of risk management related to these activities in financial institutions and technology service providers.

Operations Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council 8/26/2004
The Operations Booklet provides guidance on the risks and risk management practices applicable to financial institutions' technology operations. Effective support and delivery from IT operations are vital to a financial institution's performance and success. The booklet discusses tactical and strategic support and delivery risks and the controls that should be in place to address them. The booklet also includes examination procedures to evaluate the quality of risk management related to these activities in financial institutions and technology service providers.

Guidance on Instant Messaging
Federal Deposit Insurance Corporation 7/21/2004
This guidance identifies risks associated with public Internet instant messaging (IM)1 and how they can be mitigated through an effective management program. Public IM may be used by employees both officially and unofficially in work environments. The use of public IM may expose financial institutions to security, privacy, and legal liability risks because of the ability to download copyrighted files. Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communication. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations.

Management Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council 7/15/2004
The Management Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' information technology activities. Sound IT management is critical to the performance and success of a financial institution. An institution capable of aligning its IT activities to support its business strategies adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall strategic planning and corporate governance efforts.

Outsourcing Technology Services Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council 7/15/2004
The Outsourcing Technology Services Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' outsourcing IT activities, including service provider selection, contract issues, and ongoing monitoring of the relationship. The booklet also includes guidance on the risks and risk-management issues unique to foreign service providers. Outsourcing of an activity does not relieve management and the board of directors of their responsibility to ensure the institution's data are processed in a secure environment and the integrity of the data is maintained. Thus, ongoing monitoring of the relationship is crucial to ensure key terms of service level agreements are followed, confidentiality of information is safeguarded, and the service provider maintains operational stability.

Development and Acquisition (www.ffiec.gov)
Federal Financial Institutions Examination Council 5/27/2004
The Development and Acquisition Booklet describes common project management activities and emphasizes the benefits of using well-structured project management techniques. The booklet details general project management standards, procedures, and controls and discusses various development, acquisition, and maintenance project risks. Action summaries highlight the primary considerations within each section.

Retail Payment Systems (www.ffiec.gov)
Federal Financial Institutions Examination Council 3/31/2004
The FFIEC IT Examination Handbook (IT Handbook), "Retail Payment Systems Booklet" (booklet), provides guidance to examiners, financial institutions, and technology service providers (TSP) on identifying and controlling information technology (IT)-related risks associated with retail payment systems and related banking activities. Financial institutions, either in consortiums or acting independently, remain the core providers to businesses and consumers for most retail payment instruments and services.
This booklet replaces chapters 20, "Retail EFT (ATM and POS)" and 21, "Automated Clearing House (ACH)," in the 1996 FFIEC Information Systems Examination Handbook. The booklet presents retail payment systems examination guidance in three parts, followed by examination procedures, a glossary, and references.

Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes
Federal Deposit Insurance Corporation 3/12/2004
The FDIC is alerting financial institutions to the increasing prevalence of e-mail and Internet-related fraudulent schemes targeting financial institution customers.

Internal and External Audits - PDF (www.ffiec.gov) 501k (PDF Help)
Office of the Comptroller of the Currency 4/1/2003
This booklet discusses the OCC's expectations for effective audit functions and will help examiners and bankers assess the quality and effectiveness of internal and external programs appropriate for a bank's size, complexity of activities, scope of operations and risk profile.

Information Technology Examination Procedures
Federal Deposit Insurance Corporation 10/9/2002
The Federal Deposit Insurance Corporation (FDIC) is launching a new program for assessing information technology (IT) risk at FDIC-supervised financial institutions. The program incorporates a new philosophy for categorizing institutions' use of technology and their consequential exposure to technology risk, along with updated and more risk-focused IT examination procedures.

External Audits - PDF (www.ffiec.gov) 103k (PDF Help)
Office of Thrift Supervision 7/1/2002
Guidance on the external audits of thrifts and savings associations

Interagency Policy Statement on the Internal Audit Function and its Outsourcing - PDF (www.ffiec.gov) 431k (PDF Help)
Joint Agency Release 5/17/2002
The policy statement sets forth key characteristics of the auditing function, discusses the outsourcing of audit functions and the effect of Sarbanes-Oxley on financial institutions.

Bank Use of Foreign-Based Third-Party Service Providers - PDF (www.ffiec.gov) 159k (PDF Help)
Office of the Comptroller of the Currency 5/15/2002
This bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank's operations.

Guidance on Managing Risks Associated with Wireless Networks and Wireless Customer Access
Federal Deposit Insurance Corporation 2/1/2002
Provides guidance on the risks financial institutions face when implementing wireless technology. Issued as FIL 8-2002 (2/01/02).

Internal Audits - PDF (www.ffiec.gov) 59k (PDF Help)
Office of Thrift Supervision 2/1/2002
Guidance on the internal audits of thrifts and savings associations

ACH Transactions Involving the Internet: Guidance and Examination Procedures - Word (www.occ.gov) 102k (Word Help)
Office of the Comptroller of the Currency 1/14/2002
Highlights the risks associated with automated clearing house (ACH) transactions that involve the use of the Internet and proves guidance for managing those risks. This bulletin incorporates and replaces OCC Advisory Letter 2001-3 (Internet-Initiated ACH Debits/ACH Risks (1/29/01)) (described below). Issued as OCC Bulletin 2002-2 (1/14/02).

Third-Party Relationships - Word (www.occ.gov) 89k (Word Help)
Office of the Comptroller of the Currency 11/1/2001
Provides guidance on managing risks that may arise from business relationships with third parties. Issued as OCC Bulletin 2001-47 (11/1/01)

Authentication In An Electronic Banking Environment
Joint Agency Release 7/30/2001
Reviews the risks and risk management controls of a number of existing and emerging authentication tools necessary to initially verify the identity of new customers and authenticate existing customers that access electronic banking services. This guidance applies to both retail and commercial customers and is intended to be technology neutral. Financial institutions may use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a third party service provider. Issued as FFIEC Authentication Guidance by FDIC, FRB, OTS and OCC.

Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information - PDF (www.occ.gov) 131k (PDF Help)
Office of the Comptroller of the Currency 7/18/2001
Provides risk-based procedures that allow examiners to tailor the exam scope according to the size and complexity of the bank, the nature and scope of its activities, and the level of risk assumed by the institution. Typically, OCC examiners will use these procedures in the OCC’s largest banks, which have complex IT environments, significant information security concerns, or where less experienced examiners need more detailed guidance. Issued as Examination Procedures (7/18/01).

Effective Practices for Selecting a Service Provider
Federal Deposit Insurance Corporation 6/4/2001
A resource for banks in addressing specific challenges relating to technology outsourcing.

Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
Federal Deposit Insurance Corporation 6/4/2001
A resource for banks in addressing specific challenges relating to technology outsourcing.

Techniques for Managing Multiple Service Providers
Federal Deposit Insurance Corporation 6/4/2001
A resource for banks in addressing specific challenges relating to technology outsourcing.

Bank-Provided Account Aggregation Services - Word (www.occ.gov) 55k (Word Help)
Office of the Comptroller of the Currency 2/28/2001
Discusses the risks of bank-provided account aggregation services, and suggests control mechanisms banks should consider when they offer aggregation services. Issued as OCC Bulletin 2001-12 (3/2/01)

Internet-Initiated ACH Debits/ACH Risks - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/29/2001
Alerts banks to specific Automated Clearing House (ACH) risks and emphasizes the importance of sound ACH risk management practices. Banks that transmit certain Internet-initiated ACH debits will be deemed to warrant that their customers who originate the entries use security measures that meet minimum standards of the National Automated Clearing House Association. Issued as AL 2001-3 (1/29/01).

Comptroller’s Corporate Manual on The Internet and The National Bank Charter - PDF (www.occ.gov) 222k (PDF Help)
Office of the Comptroller of the Currency 1/1/2001
This booklet provides guidance on these processes and the special issues and considerations presented by proposals for these types of banks. The Internet and The National Bank Charter (January 2001).

Risk Management of Technology Outsourcing - PDF (www.ffiec.gov) 135k (PDF Help)
Joint Agency Release 11/28/2000
FFIEC guidance focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services. Issued by FDIC, FRB, OCC, OTS Guidance (11/28/00).

Digital Signature Deployment Issues
Federal Deposit Insurance Corporation 10/30/2000
Describes four critical issues to consider when deploying digital signature technology. Bank Technology Bulletin (9/30/00).

Infrastructure Threats - Intrusion Risks (www.occ.gov)
Office of the Comptroller of the Currency 5/15/2000
Infrastructure Threats-Intrusion Risks - Message to Bankers and Examiners Guidance on preventing, detecting, and responding to intrusions into bank computer systems. Issued as OCC Bulletin 2000-14 (5/15/00).

Outsourcing of Information and Transaction Processing (www.federalreserve.gov)
Federal Reserve Board 2/29/2000
Provides supervisory expectations regarding the management of risks that may arise from outsourcing critical information and transaction processing activities by banking organizations. Issued as SR 00-4 (2/29/00).

Information Technology Examination Frequency (www.federalreserve.gov)
Federal Reserve Board 2/29/2000
Eliminates separate information technology exams and highlights that safety and soundness exams should include an assessment and evaluation of information technology risks and risk management. Also discusses exam frequency for service providers. Issued as SR 00-3 (2/29/00).

Internet Security: Distributed Denial of Service Attacks (www.occ.gov)
Office of the Comptroller of the Currency 2/11/2000
Recommends institutions review and update their capacity for responding to distributed denial of service attacks and other information security threats. These attacks can interrupt customer access to Internet web sites by flooding the targeted sites with more information than computers can handle. Issued as Alert 2000-1 (2/11/00).

OCC Examination Handbook on Internet Banking - PDF (www.occ.gov) 226k (PDF Help)
Office of the Comptroller of the Currency 10/14/1999
National Bank examination procedures for Internet banking activities. Internet Banking Handbook (10/14/99).

Risk Assessment Tools and Practices for Information System Security
Federal Deposit Insurance Corporation 7/7/1999
Emphasizes components of a sound information security program: prevention, detection, and response. Supplements FIL-131-97, Security Risks Associated with the Internet (12/18/97), and complements FDIC’s safety and soundness electronic banking examination procedures. Issued as FIL-68-99 (7/7/99).

Certification Authority Systems (www.occ.gov)
Office of the Comptroller of the Currency 5/4/1999
Defines elements of certification authority systems, describes role of banks in emerging systems, and refers bankers and examiners to OCC Bulletin 98-38, "Technology Risk Management: PC Banking -- Guidance for Bankers and Examiners" and OCC Bulletin 98-3, "Technology Risk Management: Guidance for Bankers and Examiners" Issued as OCC Bulletin 99-20 (5/4/99).

Infrastructure Threats from Cyber-Terrorists (www.occ.gov)
Office of the Comptroller of the Currency 3/5/1999
Identifies threats and vulnerabilities created by cyber-terrorism to financial services industry. Issued as OCC Bulletin 99-9 (3/5/99).

Electronic Banking Examination Procedures
Federal Deposit Insurance Corporation Rev. 2/2000
Provides guidance for information systems specialists to evaluate electronic banking standards and associated risks. DOS Exam Modules (9/1/98)

Technology Risk Management: PC Banking -- Guidance for Bankers and Examiners (www.occ.gov)
Office of the Comptroller of the Currency 8/24/1998
Guidance on how to identify, measure, monitor, and control risks arising from the use of retail personal computer banking. Issued as OCC Bulletin 98-38 (8/24/98).

Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations (www.federalreserve.gov)
Federal Reserve Board 4/20/1998 HTML
Provides examiners guidance to assess IT risks when evaluating Community Banks and Large Complex Banking Organizations. (Supplements SR 97-25, Risk-Focused Framework for Supervision of Community Banks, and SR 97-24, Risk-Focused Framework for Large Complex Institutions.) Issued as SR 98-9 (4/20/98).

Technology Risk Management: Guidance for Bankers and Examiners (www.occ.gov)
Office of the Comptroller of the Currency 2/4/1998
Guidance on how national banks should identify, measure, monitor, and control risks associated with the use of technology. Issued as OCC Bulletin 98-3 (2/4/98).

Security Risks Associated with the Internet
Federal Deposit Insurance Corporation 12/18/1997
Identifies risks to information system security associated with Internet use. Complements FDIC’s safety and soundness examination procedures for electronic banking activities. Issued as FIL-131-97 (12/18/97).

Sound Practices Guidance for Information Security for Networks (www.federalreserve.gov)
Federal Reserve Board 12/4/1997 HTML
Guidance for protecting information and ensuring integrity, availability, and confidentiality. Issued as SR 97-32 (12/4/97).

Information Technology - PDF (www.ots.treas.gov) 89k (PDF Help)
Office of Thrift Supervision 10/15/1997
Updates the OTS examination guidelines for the use of information technology and distributes revised Thrift Activities Regulatory Handbook Section 341, Information Technology (previously titled Electronic Data Processing Controls). Issued as RB 32-6 (10/15/97).

Statement on Retail Online Personal Computer Banking - PDF (www.ots.treas.gov) 152k (PDF Help)
Office of Thrift Supervision 6/23/1997
Alerts board of directors and management to some of the risks and concerns of retail online PC banking. Issued as CEO Memo 70 (6/23/97).

Risk Management and Client/Server Systems
Joint Agency Release 10/8/1996
FFIEC statement to alert board of directors and senior management of financial institutions to risks associated with client/server computing, and encourages development and implementation of sound policies, practices, and procedures and controls over client/server computing environments. Issued as FIL-82-96 (10/8/96).

Electronic Banking Activities – Overview of On-Line Banking - PDF 55k (PDF Help)
Federal Deposit Insurance Corporation 6/16/1996
General information about online banking activities and related supervisory issues. Issued as RD Memo 96-040 (5/16/96).

Business Continuity Planning (www.ffiec.gov)
Federal Financial Institutions Examination Council
This Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning booklet provides guidance and examination procedures to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services.

Draft Community Bank Supervision booklet - PDF (www.occ.gov) 180k (PDF Help)
Office of the Comptroller of the Currency
For community banks, the OCC has incorporated less detailed procedures in the Community Bank Supervision booklet of the Comptroller’s Handbook. Attached is an advanced copy of the IT section that focuses on the adequacy of a bank’s risk management processes and controls to promote integrity, availability and confidentiality of automated information systems.

E-Banking Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council
This booklet, one of several comprising the FFIEC Information Technology Examination Handbook (IT Handbook), provides guidance to examiners and financial institutions on identifying and controlling the risks associated with electronic banking (e-banking) activities. The booklet primarily discusses e-banking risks from the perspective of the services or products provided to customers. This approach differs from other booklets that discuss risks from the perspective of the technology and systems that support automated information processing. To avoid duplication of material, this booklet refers the reader to other IT Handbook booklets for detailed explanations of technology-specific issues or controls.

Technology Risk Controls - PDF (www.ffiec.gov) 104k (PDF Help)
Office of Thrift Supervision
Guidance for insuring the integrity of data input, to protect against corrpution of the data or the programming, abd to test the accuracy of the output.

FedLine Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council
The FedLine booklet addresses the risks, risk management practices, and mitigating controls necessary to establish and maintain an appropriate operating environment for the FedLine Funds Transfer (FT) application.

Supervision of Technology Service Providers (www.ffiec.gov)
Federal Financial Institutions Examination Council
The Supervision of Technology Service Providers booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook and rescinds chapters 2-7 of that handbook. This booklet primarily governs the supervision of technology service providers (TSPs) and briefly summarizes the Federal Financial Institutions Examination Council (FFIEC) member agencies’ (agencies) expectations of financial institutions in the oversight and management of their TSP relationships. This booklet outlines the agencies’ risk-based supervision approach, the supervisory process, and the examination ratings used for information technology (IT) service providers. In addition, this booklet discusses two special IT-related programs administered by the FFIEC agencies: the Multi-Regional Data Processing Servicer (MDPS) Program, geared towards examining large TSPs, and the Shared Application Software Review (SASR) Program aimed at reviewing mission-critical software packages.

Information Security Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council
Member agencies of the Federal Financial Institutions Examination Council (FFIEC) defined such a process-based approach to security in the “Guidelines Establishing Standards to Safeguard Customer Information” to implement section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA). The guidelines afford the FFIEC agencies enforcement options if financial institutions do not establish and maintain adequate information security programs. This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operations, and serves as a supplement to agency GLBA 501(b) expectations. Financial institutions may outsource some or all of their information processing. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution. This booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook. It updates and rescinds the security-related guidance in that handbook, including Chapters 12-14.

Suspicious Activity Reports

New TD F 90-22.47 (SAR for Depository Institutions) - PDF (www.fincen.gov) 180k (PDF Help)
FinCEN
New TD F 90-22.47 (SAR for Depository Institutions) For use beginning July 1, 2003. Previous versions of SAR form will not be accepted after December 31, 2003. (SAR Fill-in Form) (SAR Preparation Guidelines - Word97, PDF) (SAR Software Version 5.1 - This new version of the SAR software corrects errors experienced by Windows XP users.) (SAR Magnetic Media Specifications) All financial institutions operating in the United States, including insured banks, savings associations, savings association service corporations, credit unions, bank holding companies, non-bank subsidiaries of bank holding companies, Edge and Agreement corporations, and U.S. branches and agencies of foreign banks are required to make this report following the discovery of: insider abuse involving any amount, violations aggregating $5,000 or more where a suspect can be identified, violations aggregating $25,000 or more regardless of a potential suspect, or transactions aggregating $5,000 or more that involve potential money laundering or violations of the Bank Secrecy Act. Full instructions accompany this download.

The SAR Activity Review - PDF (www.fincen.gov) 2390k (PDF Help)
FinCEN 11/1/2003
Provides feedback to financial institutions about suspicious activity reported to Financial Crimes Enforcement Network (FinCEN) by the institutions. It contains Suspicious Activity Report (SAR) statistics; patterns and trends of suspicious activity that have been reported; tips and guidance for financial institutions on form preparation and filing; and information about investigative activity in which SAR information played an important role in a successful investigation and/or prosecution of criminal financial activity. The SAR Review: Trends, Tips & Issues (Issue 6) (11/2003).

Guidance on Identity Theft and Pretext Calling
Federal Deposit Insurance Corporation 5/9/2001
Addresses how banks should protect customer information against identity theft. Also included is guidance on completing Suspicious Activity Reports to report offenses associated with identity theft and pretext calling, i.e., posing as a customer or someone authorized to have customer information in order to obtain confidential customer data. Guidance on Identity Theft and Pretext Calling (5/9/01).

Identity Theft and Pretext Calling - Word (www.occ.gov) 69k (Word Help)
Office of the Comptroller of the Currency 4/30/2001
Informs national banks about two areas of consumer bank, fraud identity theft and pretext calling, and advises them about measures to prevent and detect these types of fraud. Also supplements the interagency guidelines establishing standards to safeguard customer information by focusing on the protection of customer information specifically against identity theft and pretext calling. Issued as AL 2001-4

Internet Security: Distributed Denial of Service Attacks (www.occ.gov)
Office of the Comptroller of the Currency 2/11/2000
Recommends institutions review and update their capacity for responding to distributed denial of service attacks and other information security threats. These attacks can interrupt customer access to Internet web sites by flooding the targeted sites with more information than computers can handle. Issued as Alert 2000-1 (2/11/00).

Guidance Concerning the Reporting of Computer-Related Crimes by Financial Institutions
Joint Agency Release 12/5/1997
Guidance for reporting violations of the federal criminal statute relating to computer crimes, 18 U.S.C. § 1030, in Suspicious Activity Reports. (Developed by the FBI, working with federal banking agency representatives and other federal law enforcement agencies) Issued as FIL-124-97 (12/5/97).

Third-Party Relationships

Guidance for Financial Institutions on the Use of Foreign-Based Third-Party Service Providers
Federal Deposit Insurance Corporation June 21, 2006
The FDIC has prepared the attached guidance to address the risks inherent in outsourcing relationships between U.S. financial institutions and foreign-based third-party service providers. The guidance provides steps that institutions should take to successfully manage such risks.

NACHA Rule Changes (www.occ.gov)
Office of the Comptroller of the Currency
12/20/2004
The purpose of this OCC bulletin is to advise national banks and examiners of three amendments to National Automated Clearing House Association (NACHA) Operating Rules that became effective in 2004. As part of an effective risk management program, banks should implement procedures to ensure compliance with these and all other NACHA Operating Rules and related Office of the Comptroller of the Currency (OCC) and Federal Financial Institutions Examination Council (FFIEC) guidance. This bulletin supplements guidance on Automated Clearing House (ACH) activities outlined in the FFIEC IT Handbook, "Retail Payment Systems," dated March 2004.

Computer Software Due Diligence Guidance on Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory Compliance
Federal Deposit Insurance Corporation 11/16/2004
The FDIC is issuing guidance to financial institutions on performing proper due diligence when selecting computer software or a service provider. This due diligence includes making sure that the software or service provider is compliant with applicable laws, including the Bank Secrecy Act, which includes the USA PATRIOT Act.

Management Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council 7/15/2004
The Management Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' information technology activities. Sound IT management is critical to the performance and success of a financial institution. An institution capable of aligning its IT activities to support its business strategies adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall strategic planning and corporate governance efforts.

Outsourcing Technology Services Booklet (www.ffiec.gov)
Federal Financial Institutions Examination Council 7/15/2004
The Outsourcing Technology Services Booklet provides guidance on the risks and risk-management practices applicable to financial institutions' outsourcing IT activities, including service provider selection, contract issues, and ongoing monitoring of the relationship. The booklet also includes guidance on the risks and risk-management issues unique to foreign service providers. Outsourcing of an activity does not relieve management and the board of directors of their responsibility to ensure the institution's data are processed in a secure environment and the integrity of the data is maintained. Thus, ongoing monitoring of the relationship is crucial to ensure key terms of service level agreements are followed, confidentiality of information is safeguarded, and the service provider maintains operational stability.

Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks- PDF 245k (PDF Help)
Federal Deposit Insurance Corporation 6/16/2004
This study presents the FDIC's findings with regards to the associated risks of offshore outsourcing (also known as "offshoring") by financial institutions from a safety and soundness perspective and with particular emphasis on the threats posed to customer privacy.

Development and Acquisition (www.ffiec.gov)
Federal Financial Institutions Examination Council 5/27/2004
The Development and Acquisition Booklet describes common project management activities and emphasizes the benefits of using well-structured project management techniques. The booklet details general project management standards, procedures, and controls and discusses various development, acquisition, and maintenance project risks. Action summaries highlight the primary considerations within each section.

Retail Payment Systems (www.ffiec.gov)
Federal Financial Institutions Examination Council 3/31/2004
The FFIEC IT Examination Handbook (IT Handbook), "Retail Payment Systems Booklet" (booklet), provides guidance to examiners, financial institutions, and technology service providers (TSP) on identifying and controlling information technology (IT)-related risks associated with retail payment systems and related banking activities. Financial institutions, either in consortiums or acting independently, remain the core providers to businesses and consumers for most retail payment instruments and services.
This booklet replaces chapters 20, "Retail EFT (ATM and POS)" and 21, "Automated Clearing House (ACH)," in the 1996 FFIEC Information Systems Examination Handbook. The booklet presents retail payment systems examination guidance in three parts, followed by examination procedures, a glossary, and references.

Statement of Application of Recent Corporate Governance Initiatives to Non-Public Banking Organizations - PDF (www.ffiec.gov) 310k (PDF Help)
Joint Agency Release 5/1/2003
Guidance on the effect of Sarbanes-Oxley on small-non public banking institutions

Weblinking
Joint Agency Release 4/23/2003
Federal bank and credit union regulatory agencies have issued guidance to assist financial institutions in identifying risks posed by the use of weblinks on their websites, and to suggest a variety of risk-management techniques that institutions should consider using to mitigate those risks. This guidance applies to institutions that develop and maintain their own websites, as well as institutions that use third-party service providers for this

Internal and External Audits - PDF (www.ffiec.gov) 501k (PDF Help)
Office of the Comptroller of the Currency 4/1/2003
This booklet discusses the OCC's expectations for effective audit functions and will help examiners and bankers assess the quality and effectiveness of internal and external programs appropriate for a bank's size, complexity of activities, scope of operations and risk profile.

External Audits - PDF (www.ffiec.gov) 103k (PDF Help)
Office of Thrift Supervision 7/1/2002
Guidance on the external audits of thrifts and savings associations

Interagency Policy Statement on the Internal Audit Function and its Outsourcing - PDF (www.ffiec.gov) 430k (PDF Help)
Joint Agency Release 5/17/2002
The policy statement sets forth key characteristics of the auditing function, discusses the outsourcing of audit functions and the effect of Sarbanes-Oxley on financial institutions.

Bank Use of Foreign-Based Third-Party Service Providers - PDF (www.ffiec.gov) 159k (PDF Help)
Office of the Comptroller of the Currency 5/15/2002
This bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank's operations.

Internal Audits - PDF (www.ffiec.gov) 59k (PDF Help)
Office of Thrift Supervision 2/1/2002
Guidance on the internal audits of thrifts and savings associations

Third-Party Relationships - Word (www.occ.gov) 89k (Word Help)
Office of the Comptroller of the Currency 11/1/2001
Provides guidance on managing risks that may arise from business relationships with third parties. Issued as OCC Bulletin 2001-47 (11/1/01)

Weblinking - Word (www.occ.gov) 80k (Word Help)
Office of the Comptroller of the Currency 7/3/2001
Highlights risks involved in weblinking relationships with third parties and provides risk management guidance to banks’ on weblinking relationships with affiliated and unaffiliated third parties. Issued as OCC Bulletin 2001-31(7/3/01).

Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
Federal Deposit Insurance Corporation 6/4/2001
A resource for banks in addressing specific challenges relating to technology outsourcing.

Techniques for Managing Multiple Service Providers
Federal Deposit Insurance Corporation 6/4/2001
A resource for banks in addressing specific challenges relating to technology outsourcing.

Effective Practices for Selecting a Service Provider
Federal Deposit Insurance Corporation 6/4/2001
A resource for banks in addressing specific challenges relating to technology outsourcing.

Joint Interpretive Letter Concerning Sharing of Account Numbers for Use in Marketing - PDF (www.occ.gov) 100k (PDF Help)
Joint Agency Release 5/4/2001
Interagency response to a letter asking the Federal banking agencies to allow financial institutions to disclose unencrypted account numbers to a third party. (Certain information has been removed from the response to protect the privacy of the correspondent.)

Privacy Rule Handbook
Federal Deposit Insurance Corporation 1/25/2001
Explains basic requirements of 12 CFR Part 332 (the privacy rule described above); provides suggestions for implementing the rule to meet the July 1 deadline; suggests activities to monitor and maintain compliance; and describes in detail key terminology in the rule. (See, 65 FR 35162 (6/1/00) ) Privacy Rule Handbook (1/22/01).

Privacy Preparedness - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/22/2001
Helps prepare national banks for implementation of 12 CFR Part 40 . A questionnaire is attached to assist national banks in their preparation and in performing a self-assessment. Issued as AL 2001-2 (1/22/01). (See, also, Privacy Preparedness Questionnaire.)

Privacy Preparedness Questionnaire - Word (www.occ.gov) (Word Help)
Office of the Comptroller of the Currency 1/22/2001
Helps prepare national banks for implementation of 12 CFR Part 40 . A questionnaire is attached to assist national banks in their preparation and in performing a self-assessment. Issued as AL 2001-2 (1/22/01). (See, also, Privacy Preparedness Questionnaire.)

Risk Management of Technology Outsourcing - PDF (www.ffiec.gov) 135k (PDF Help)
Joint Agency Release 11/28/2000
FFIEC guidance focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services. Issued by FDIC, FRB, OCC, OTS Guidance (11/28/00).

Privacy Laws and Regulations - PDF (www.occ.gov) 76k (PDF Help)
Office of the Comptroller of the Currency 9/8/2000
Summarizes federal laws and regulations relating to disclosure of consumer financial information to help national banks and subsidiaries understand their statutory obligations. (See, 65 FR 35162 (6/1/00) Privacy Laws and Regulations (9/8/00).

Outsourcing of Information and Transaction Processing (www.federalreserve.gov)
Federal Reserve Board 2/29/2000
Provides supervisory expectations regarding the management of risks that may arise from outsourcing critical information and transaction processing activities by banking organizations. Issued as SR 00-4 (2/29/00).

OCC Guidance to National Banks on Web Site Privacy Statements (www.occ.gov)
Office of the Comptroller of the Currency 5/4/1999
Provides national banks with examples of effective practices for informing consumers who access bank Internet sites about bank privacy policies for the collection and use of personal information. Issued as AL 99-06 (5/4/99).

Supervision of Technology Service Providers (www.ffiec.gov)
Federal Financial Institutions Examination Council
The Supervision of Technology Service Providers booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook and rescinds chapters 2-7 of that handbook. This booklet primarily governs the supervision of technology service providers (TSPs) and briefly summarizes the Federal Financial Institutions Examination Council (FFIEC) member agencies’ (agencies) expectations of financial institutions in the oversight and management of their TSP relationships. This booklet outlines the agencies’ risk-based supervision approach, the supervisory process, and the examination ratings used for information technology (IT) service providers. In addition, this booklet discusses two special IT-related programs administered by the FFIEC agencies: the Multi-Regional Data Processing Servicer (MDPS) Program, geared towards examining large TSPs, and the Shared Application Software Review (SASR) Program aimed at reviewing mission-critical software packages.

Truth in Lending

Electronic Financial Services and Consumer Compliance - PDF (www.ffiec.gov) 64k (PDF Help)
Joint Agency Release 7/16/1998
FFIEC guidance on the application of federal consumer protection laws and regulations to electronic financial services. Guidance (7/16/98).

Truth in Savings

Electronic Financial Services and Consumer Compliance - PDF (www.ffiec.gov) 64k (PDF Help)
Joint Agency Release 7/16/1998
FFIEC guidance on the application of federal consumer protection laws and regulations to electronic financial services. Guidance (7/16/98).


Last Updated 04/21/2010 legal@fdic.gov