The banking regulatory agencies examine banking practices, including Information Technology, at the banking institutions they oversee on a periodic basis. In this workshop, you will hear about the basic tenets behind the Information Technology (IT) examinations conducted by banking regulatory agencies and how the preliminary information gathered is applied - i) in choosing appropriate workprograms and ii) in identifying the necessary examiner IT skill and experience necessary for conducting each exam. Further, this wokshop will prepare the attendees in responding to the pre-examination IT Questionnaire in the most appropriate manner.
Even though the technological advances in the banking sector have been ever-evolving for decades, the last few years have been noteworthy with the advent of the Internet-based banking technologies and a myriad of outsourcing arrangements with Technology Service Providers. On one hand these advances have leapfrogged at the pace banking services are being offered by institutions of ALL sizes, while on the other - it has created a management challenge. In order to keep up with the changing technological environment and the market conditions, The Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook, which was developed through a collaborative effort of the FFIEC's five member agencies, replaced the 1996 FFIEC Information Systems Examination Handbook. The FFIEC issued the initial 12 booklets that make up the FFIEC IT Examination Handbook. The topics of these booklets include:
- Business Continuity Planning;
- Development and Acquisition;
- Electronic Banking;
- Information Security;
- IT Audit;
- IT Management;
- Outsourcing Technology Services;
- Retail Payment Systems;
- Supervision of Technology Service Provider; and
- Wholesale Payment Systems.
These booklets address significant changes in technology since 1996 and incorporate a risk-based examination approach. The Information Security booklet was updated recently in July of 2006.
During the course this workshop, the attendees will gain an understanding of how the regulatory examinations are based on the concepts and guidance provided in these booklets. We will also discuss how the banking rules & regulations, including GLBA Section 501(b), Bank Secrecy Act, Patriot Act and FACTA among others, are taken into account during the Information Technology examinations.
Based on the preliminary information provided by an institution on the technology in use and the applicable practices, and the information available on the previous examinations, bank examiners develop an initial scope for each IT exam. However, examiners have considerable discretion to expand or contract the scope once onsite, and to utilize any agency-specific or FFIEC approved work program targeting specific technologies or functions (wire transfer systems, ACH, etc.).
The following major categories describe an overview of the Information Technology examination process. These categories will be discussed during this workshop with emphasis on the areas that have been typically somewhat problematic for banking institutions.
Review prior/post examination documents, incorporate management discussions, changes in technology, personnel, and services, security incidents, and audit findings. Complete the Technology Profile Script.
IT Examination Officer's Questionnaire
Furnish management the IT Questionnaire to complete via agreed upon procedures.
Risk Scoping Tools
Use the Technology Profile Script and the IT Questionnaire to gain an understanding of the institution's risk management practices.
Develop a preliminary institution risk profile based upon historical and other information obtained using all risk scoping tools.
Onsite Examination Procedures
Execute scope based upon preliminary assessment of responses and understanding of the institution's risk profile.
Assign composite rating at the conclusion of the examination based on the FFIEC rating definitions.
Document exam findings within the IT Summary Analysis Form, and prepare ROE comments.
*Technology Profile Script is a standardized basic measurement tool of the complexity and risk of the technology deployed at a financial institution. The TPS is the primary tool used to categorize institutions into Type I, Type II, Type III, or Type IV Technology Profiles. The TPS may be used as a guide in planning Information Technology examinations by identifying key risk areas and by identifying the necessary examiner IT skills and experience based upon the guidelines.