OCC 2004-40 OCC BULLETIN Subject: FFIEC Information Technology Examination Handbook Description:FFIEC IT Booklets on IT Operations and Wholesale Payment Systems Date: September 2, 2004 TO: Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers and Software Vendors, Department and Division Heads, and All Examining Personnel The Federal Financial Institutions Examination Council (FFIEC) has issued two booklets that provide updated guidance on information technology (IT) operations and wholesale payment systems. These booklets complete the series that updates and replaces the 1996 FFIEC Information Systems (IS) Examination Handbook. Operations Booklet The role technology plays in supporting the business function has become increasingly complex. IT operations-traditionally housed in a computer data center with user connections through terminals-are now more dynamic and include distributed environments, integrated applications, networking options, Internet connectivity, and an array of computer operating platforms. Effective support and delivery from IT operations is vital to the performance of most critical business lines in the institution. This booklet covers the risks and expected controls necessary to manage IT operations across the institution. Operational IT risks involve more than just technology; risk management controls must also include sound processes and well-trained people. Effective support and delivery from IT operations is vital to the performance of most critical business lines in the institution. This booklet rescinds and replaces Chapters 13 ("Operations") and 17 ("Document Imaging") of the 1996 FFIEC IS Examination Handbook. Wholesale Payment Systems Booklet Wholesale payment systems consist of numerous financial intermediaries, financial services firms, and nonbank businesses that create, distribute, and process large-value payments. Most of these payments are processed electronically and are generally used to purchase, sell, or finance securities transactions; disburse or repay loans; settle real estate transactions; or make large-value, time-critical payments. This booklet describes the risks associated with wholesale payment systems and the risk management controls that management should establish to mitigate these risks. It also includes discussion of the legal framework for interbank payment systems, the Federal Reserve Board's Payments System Risk Policy, and the "Interagency Paper on Sound Practices to Strengthen the Resiliency of the U.S. Financial System." National banks that participate in wholesale payment systems or are considering deploying such systems should use this guidance to assess risks to the bank and implement appropriate risk management processes. This booklet rescinds Chapter 18 ("Wholesale EFT") of the 1996 FFIEC IS Examination Handbook. The attached FFIEC press release describes the handbook update process and provides a link (www.ffiec.gov/guides.htm) to electronic versions of both booklets. To accommodate institutions with limited access to the Internet, the Office of the Comptroller of the Currency (OCC) will also include these booklets in the next release of e-files, the CD-based library of OCC publications provided to all national banks. Any institution that is not able to download the booklets may order printed copies. Please send your request to the Office of the Comptroller of the Currency, 250 E Street, SW, Mail Stop 4-8, Washington, DC 20219. If you need assistance obtaining a copy, please contact the OCC's Communications Division at (202) 874- 4700. Other questions regarding these booklets should be directed to your OCC supervisory office or the Bank Information Technology Division at (202) 874-4740. _________________________________________ Mark L. O'Dell Deputy Comptroller, Operational Risk Department Attachment: FFIEC Press Release [http://www.occ.treas.gov/ftp/bulletin/2004-40a.pdf]