BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C. 20551
DIVISION OF
BANKING
SUPERVISION
AND
REGULATION
SR 00-3
(SUP)
February 29,
2000
TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK
SUBJECT: Information Technology Examination Frequency
Banking organizations increasingly rely on information technology to
conduct their operations and manage risks. As outlined in SR letter 98-9, "Assessment of
Information Technology in the Risk-Focused Frameworks for the Supervision of
Community Banks and Large Complex Banking Organizations," the use of information
technology can have important implications for a banking organization's financial
condition, risk profile, and operating performance and should be incorporated into the
safety and soundness assessment of each organization. In order to facilitate the
integration of information technology supervision within the overall risk-focused
supervisory process, the separate frequency guidelines for information technology
examinations are being eliminated. Instead, all safety and soundness examinations (or
examination cycles) of banking organizations conducted by the Federal Reserve should
include an assessment and evaluation of information technology risks and risk
management.
The scope of the information technology assessment should generally be
sufficient to assign a composite rating under the Uniform Rating System for Information
Technology (URSIT).1 URSIT component ratings may be updated at the examiner's
discretion based on the scope of the assessment. The scope would normally be based on
factors such as:
•
Implementation of new systems or technologies since the last
examination.
• Significant changes in operations, such as mergers or systems
conversions.
• New or modified outsourcing relationships for critical operations.
• Targeted examinations of business lines where internal controls or
risk management are heavily d