31468 Federal Register / Vol. 63, No. 110 / Tuesday, June 9, 1998 / Notices
FEDERAL FINANCIAL INSTITUTIONS
EXAMINATION COUNCIL
Uniform Rating System for Information
Technology
AGENCY: Federal Financial Institutions
Examination Council.
ACTION: Notice and request for comment.
SUMMARY: The Board of Governors of the
Federal Reserve System (FRB), the
Federal Deposit Insurance Corporation
(FDIC), the Office of the Comptroller of
the Currency (OCC), and the Office of
Thrift Supervision (OTS) (collectively
referred to as the federal supervisory
agencies), under the auspices of the
Federal Financial Institutions
Examination Council (FFIEC) request
comment on proposed changes to the
Uniform Interagency Rating System for
Data Processing Operations, commonly
referred to as the Information Systems
rating system. The proposed revisions
change the name of the rating system to
the Uniform Rating System for
Information Technology (URSIT) and
reflect changes that have occurred in the
data processing services industry and in
supervisory policies and procedures
since the rating system was first adopted
in 1978. The proposed changes revise
the numerical ratings to conform to the
language and tone of the Uniform
Financial Institution Rating System
(UFIRS) rating definitions, commonly
referred to as the CAMELS rating
system; reformat and clarify the
component rating descriptions;
emphasize the quality of risk
management processes in each of the
rating components; add two new
component categories, Development and
Acquisition, and Support and Delivery
as replacements for Systems
Development and Programming, and
Operations; and explicitly identify the
risk types that are considered in
assigning component ratings. After
reviewing public comments, the FFIEC
intends to make appropriate additional
changes to the revised URSIT, if
necessary, and adopt a final information
technology rating system.
The term financial institution refers to
those FDIC insured depository
institutions whose primary Federal
supervisory agency is represented on
the FFIEC, Bank Holding Companies,
Branches and Agencies of Foreign
Banking Organizations, and Thrifts. The
term ‘‘service provider’’ refers to
organizations that provide data
processing services to financial
institutions. Uninsured trust companies
that are chartered by the OCC, members
of the Federal Reserve System, or
subsidiaries of registered bank holding
companies or insured depository
institutions are also covered by this
action.
DATES: Comments must be received by
August 10, 1998.
ADDRESSES: Comments should be sent to
Keith Todd, Acting Executive Secretary,
Federal Financial Institutions
Examination Council, 2100
Pennsylvania Avenue, NW, Suite 200,
Washington, DC 20037 (Fax number:
(202) 634–6556). Comments will be
available for public inspection during
regular business hours at the above
address. Appointments to inspect
comments are encouraged and can be
arranged by calling the FFIEC at (202)
634–6526.
FOR FURTHER INFORMATION CONTACT:
FRB: Charles Blaine Jones, Supervisory
EDP Analyst, Specialized Activities,
(202) 452–3759, Division of Banking
Supervision and Regulation, Board of
Governors of the Federal Reserve
System, Mail Stop 182, 20th and C
Streets, NW, Washington, DC 20551
FDIC: Stephen A. White, Review
Examiner (Information Systems),
(202) 898–6923, Division of
Supervision, Federal Deposit
Insurance Corporation, Room F–6010,
550 17th Street, NW, Washington, DC
20429
OCC: Norine Richards, National Bank
Examiner, (202) 874–4924, Bank
Technology Unit, Office of the
Comptroller of the Currency, Mail
Stop 7–9, 250 E Street, SW,
Washington, D.C. 20219
OTS: Jennifer Dickerson, Program
Manager, Information System
Examinations, Compliance Policy,
(202) 906–5631, Office of Thrift
Supervision, 1700 G Street, NW,
Washington, D.C. 20552
SUPPLEMENTARY INFORMATION:
Background Information
The Uniform Interagency Rating
System for Data Processing Operations
is an internal rating system used by
federal and state regulators to assess
uniformly financial institution and
service provider risks introduced by
information technology and for
identifying those institutions and
service providers requiring special
supervisory attention. The current rating
system was adopted in 1978 by the
OCC, OTS, FDIC and FRB, and is
commonly referred to as the IS rating
system. Each financial institution or
service provider is assigned a composite
rating based on an evaluation and rating
of four essential components of an
institution’s information technology.
These components address the
following: the adequacy of the
information technology audit function;
the capability of information technology
management; the adequacy of systems
development and programming, and the
quality, reliability, availability and
integrity of information technology
operations. Both the composite and
component ratings are assigned on a ‘‘1’’
to ‘‘5’’ numerical scale. A ‘‘1’’ indicates
the strongest performance and
management practices, and the least
degree of supervisory concern, while a
‘‘5’’ indicates the weakest performance
and management practices and,
therefore, the highest degree of
supervisory concern.
The composite rating reflects the
overall condition of an institution’s or
service provider’s information
technology function. The composite
ratings are used by the federal and state
supervisory agencies to monitor
aggregate trends in the overall
administration of information
technology.
The IS rating system has proven to be
an effective means for the federal and
state supervisory agencies to determine
the condition of an institution’s or
service provider’s information
technology function. A number of
changes, however, have occurred in
information technology and in
supervisory policies and procedures
since the rating system was first
adopted. The FFIEC’s Task Force on
Supervision has reviewed the existing
rating system in light of these industry
trends. The Task Force has concluded
that the current rating system
framework should be modified to
provide a more effective vehicle for
summarizing conclusions about the
condition of an institution’s or service
provider’s information technology
function. As a result, the FFIEC
proposes to retain the basic rating
framework, and the revised rating
system will continue to assign a
composite rating based on an evaluation
and rating of essential components of an
institution’s or service provider’s
information technology function.
However, the FFIEC proposes certain
enhancements to the rating system.
Discussion of Proposed Changes to the
Rating System
1. Structure and Format
The FFIEC proposes to enhance and
clarify the component rating
descriptions by reformatting each
component into three distinct sections.
These sections are: (a) An introductory
paragraph discussing in general terms
the areas to be considered when rating
each component; (b) a bullet-style
listing of the specific evaluation factors
FEDERAL FINANCIAL INSTITUTIONS
EXAMINATION COUNCIL
Uniform Rating System for Information
Technology
AGENCY: Federal Financial Institutions
Examination Council.
ACTION: Notice and request for comment.
SUMMARY: The Board of Governors of the
Federal Reserve System (FRB), the
Federal Deposit Insurance Corporation
(FDIC), the Office of the Comptroller of
the Currency (OCC), and the Office of
Thrift Supervision (OTS) (collectively
referred to as the federal supervisory
agencies), under the auspices of the
Federal Financial Institutions
Examination Council (FFIEC) request
comment on proposed changes to the
Uniform Interagency Rating System for
Data Processing Operations, commonly
referred to as the Information Systems
rating system. The proposed revisions
change the name of the rating system to
the Uniform Rating System for
Information Technology (URSIT) and
reflect changes that have occurred in the
data processing services industry and in
supervisory policies and procedures
since the rating system was first adopted
in 1978. The proposed changes revise
the numerical ratings to conform to the
language and tone of the Uniform
Financial Institution Rating System
(UFIRS) rating definitions, commonly
referred to as the CAMELS rating
system; reformat and clarify the
component rating descriptions;
emphasize the quality of risk
management processes in each of the
rating components; add two new
component categories, Development and
Acquisition, and Support and Delivery
as replacements for Systems
Development and Programming, and
Operations; and explicitly identify the
risk types that are considered in
assigning component ratings. After
reviewing public comments, the FFIEC
intends to make appropriate additional
changes to the revised URSIT, if
necessary, and adopt a final information
technology rating system.
The term financial institution refers to
those FDIC insured depository
institutions whose primary Federal
supervisory agency is represented on
the FFIEC, Bank Holding Companies,
Branches and Agencies of Foreign
Banking Organizations, and Thrifts. The
term ‘‘service provider’’ refers to
organizations that provide data
processing services to financial
institutions. Uninsured trust companies
that are chartered by the OCC, members
of the Federal Reserve System, or
subsidiaries of registered bank holding
companies or insured depository
institutions are also covered by this
action.
DATES: Comments must be received by
August 10, 1998.
ADDRESSES: Comments should be sent to
Keith Todd, Acting Executive Secretary,
Federal Financial Institutions
Examination Council, 2100
Pennsylvania Avenue, NW, Suite 200,
Washington, DC 20037 (Fax number:
(202) 634–6556). Comments will be
available for public inspection during
regular business hours at the above
address. Appointments to inspect
comments are encouraged and can be
arranged by calling the FFIEC at (202)
634–6526.
FOR FURTHER INFORMATION CONTACT:
FRB: Charles Blaine Jones, Supervisory
EDP Analyst, Specialized Activities,
(202) 452–3759, Division of Banking
Supervision and Regulation, Board of
Governors of the Federal Reserve
System, Mail Stop 182, 20th and C
Streets, NW, Washington, DC 20551
FDIC: Stephen A. White, Review
Examiner (Information Systems),
(202) 898–6923, Division of
Supervision, Federal Deposit
Insurance Corporation, Room F–6010,
550 17th Street, NW, Washington, DC
20429
OCC: Norine Richards, National Bank
Examiner, (202) 874–4924, Bank
Technology Unit, Office of the
Comptroller of the Currency, Mail
Stop 7–9, 250 E Street, SW,
Washington, D.C. 20219
OTS: Jennifer Dickerson, Program
Manager, Information System
Examinations, Compliance Policy,
(202) 906–5631, Office of Thrift
Supervision, 1700 G Street, NW,
Washington, D.C. 20552
SUPPLEMENTARY INFORMATION:
Background Information
The Uniform Interagency Rating
System for Data Processing Operations
is an internal rating system used by
federal and state regulators to assess
uniformly financial institution and
service provider risks introduced by
information technology and for
identifying those institutions and
service providers requiring special
supervisory attention. The current rating
system was adopted in 1978 by the
OCC, OTS, FDIC and FRB, and is
commonly referred to as the IS rating
system. Each financial institution or
service provider is assigned a composite
rating based on an evaluation and rating
of four essential components of an
institution’s information technology.
These components address the
following: the adequacy of the
information technology audit function;
the capability of information technology
management; the adequacy of systems
development and programming, and the
quality, reliability, availability and
integrity of information technology
operations. Both the composite and
component ratings are assigned on a ‘‘1’’
to ‘‘5’’ numerical scale. A ‘‘1’’ indicates
the strongest performance and
management practices, and the least
degree of supervisory concern, while a
‘‘5’’ indicates the weakest performance
and management practices and,
therefore, the highest degree of
supervisory concern.
The composite rating reflects the
overall condition of an institution’s or
service provider’s information
technology function. The composite
ratings are used by the federal and state
supervisory agencies to monitor
aggregate trends in the overall
administration of information
technology.
The IS rating system has proven to be
an effective means for the federal and
state supervisory agencies to determine
the condition of an institution’s or
service provider’s information
technology function. A number of
changes, however, have occurred in
information technology and in
supervisory policies and procedures
since the rating system was first
adopted. The FFIEC’s Task Force on
Supervision has reviewed the existing
rating system in light of these industry
trends. The Task Force has concluded
that the current rating system
framework should be modified to
provide a more effective vehicle for
summarizing conclusions about the
condition of an institution’s or service
provider’s information technology
function. As a result, the FFIEC
proposes to retain the basic rating
framework, and the revised rating
system will continue to assign a
composite rating based on an evaluation
and rating of essential components of an
institution’s or service provider’s
information technology function.
However, the FFIEC proposes certain
enhancements to the rating system.
Discussion of Proposed Changes to the
Rating System
1. Structure and Format
The FFIEC proposes to enhance and
clarify the component rating
descriptions by reformatting each
component into three distinct sections.
These sections are: (a) An introductory
paragraph discussing in general terms
the areas to be considered when rating
each component; (b) a bullet-style
listing of the specific evaluation factors
31469Federal Register / Vol. 63, No. 110 / Tuesday, June 9, 1998 / Notices
to be considered when assigning the
component rating; and, (c) a brief
qualitative description of the five rating
grades that can be assigned to a
particular component.
2. Alignment of Composite and
Component Ratings
The FFIEC proposes changes to revise
the definitions of the composite and
component ratings to align the URSIT
rating definitions more closely with the
language and tone of the UFIRS rating
definitions. For example, under the
current rating system a composite ‘‘3’’
rated information technology function
has performance that is flawed to some
degree and is considered to be of below
average quality, while under the UFIRS
a composite ‘‘3’’ rated bank or service
provider exhibits some degree of
supervisory concern due to a
combination of weaknesses that may
range from moderate to severe. The
proposed revision brings the URSIT in
line with the language and tone of the
UFIRS.
3. Component Reorganization
The current rating system has four
components: (1) Audit; (2) Management;
(3) Systems Development and
Programming; and (4) Operations. The
FFIEC is proposing to replace the
current ‘‘Systems Development and
Programming’’ and ‘‘Operations’’
components with two new component
categories, ‘‘Development and
Acquisition’’, and ‘‘Support and
Delivery’’. The new components will
address all areas assessed in the current
Systems Development and Programming
and Operations components. In
addition, the new components will
provide a more effective framework for
the risks encountered in distributed
processing environments and emerging
technology.
4. Composite Rating Definitions
The FFIEC is proposing changes in
the composite rating definitions to
parallel the changes in the component
rating descriptions. Under the FFIEC’s
proposal, the revised composite rating
definitions would contain an explicit
reference to the quality of overall risk
management practices. The basic
context of the existing composite rating
definitions is being retained. The
composite rating would continue to be
based on a careful evaluation of an
institution’s or service provider’s ability
to monitor, manage, develop, acquire,
support and deliver information
technology services.
5. Risk Management
The FFIEC is proposing that the
revised rating system emphasize risk
management processes. Changes in
information technology have broadened
the range of products and services
offered. These trends reinforce the
importance of institutions having sound
risk management processes.
Accordingly, the revised rating system
would contain language in each of the
components emphasizing the
consideration of processes to identify,
measure, monitor, and control risks.
Request for Comments
The FFIEC requests comment on the
proposed revisions to the URSIT (‘‘the
proposal’’). In particular, the FFIEC
invites comments on the following
questions:
1. Does the proposal capture the
essential risk areas of information
technology?
2. Does the proposal adequately
address distributed processing
environments, as well as centralized
processing environments?
3. Does the proposal adequately
address risks to financial institutions
that process their data in-house as well
as to data processing service providers?
4. Are the definitions for the
individual components and the
composite numerical ratings in the
proposal consistent with the language
and tone of the UFIRS definitions?
5. Are there any components which
should be added to or deleted from the
proposal?
6. Given the trend toward the
integration of safety and soundness and
information technology examination
functions by the federal supervisory
agencies, does a separate rating system
for information technology continue to
be useful?
Text of the Revised Uniform Rating
System for Information Technology
Uniform Rating System for Information
Technology
Introduction
The quality, reliability, and integrity
of a financial institution’s or service
provider’s information technology (IT)
affect all aspects of its performance. An
assessment of the technology risk
management framework is necessary
whether or not the institution itself or
a third-party service provider manages
these operations. The Uniform Rating
System for Information Technology
(URSIT) is an internal rating system
used by federal and state regulators to
uniformly assess financial institution
and service provider risks introduced by
IT. It also allows the regulators to
identify those insured institutions and
service providers whose information
technology risk exposure requires
special supervisory attention. The rating
system includes component and
composite rating descriptions and the
explicit identification of risks and
assessment factors that might be
considered in assigning component
ratings. Additionally, information
technology can affect the risks
associated with financial institutions.
For each IT rating component the effect
on credit, operational, market,
reputation, strategic, and compliance
risks should be considered.
The purpose of the rating system is to
identify those entities whose risk
exposure requires special supervisory
attention. This rating system assists
examiners in making an assessment of
risk and compiling examination
findings. However, the rating system
does not drive the scope of an
examination. Examiners should use the
rating system to help evaluate the
entity’s overall risk exposure, and
determine the degree of supervisory
attention believed necessary to ensure
that weaknesses are addressed and that
risk is properly managed.
Overview
The URSIT is based on a risk
evaluation of four critical components:
Audit, Management, Development and
Acquisition, and Support and Delivery
(AMDS). These components, when
combined, are used to assess the overall
performance of IT within an
organization. Examiners evaluate the
functions identified within each
component to assess the institution’s
ability to identify, measure, monitor and
control information technology risks.
Each organization examined for IT is
assigned a summary or composite rating
based on the overall results of the
evaluation. The IT composite rating and
each component rating are based on a
scale of ‘‘1’’ through ‘‘5’’ in ascending
order of supervisory concern; ‘‘1’’
representing the highest rating and least
degree of concern, and ‘‘5’’ representing
the lowest rating and highest degree of
concern.
The first step in developing an IT
composite rating for an organization is
the assignment of a performance rating
to the individual AMDS components.
The evaluation of each of these
components, their interrelationships,
and relative importance is the basis for
the composite rating. The composite
rating is derived by making a qualitative
summarization of all of the AMDS
components. A direct relationship exists
between the composite rating and the
individual AMDS component
to be considered when assigning the
component rating; and, (c) a brief
qualitative description of the five rating
grades that can be assigned to a
particular component.
2. Alignment of Composite and
Component Ratings
The FFIEC proposes changes to revise
the definitions of the composite and
component ratings to align the URSIT
rating definitions more closely with the
language and tone of the UFIRS rating
definitions. For example, under the
current rating system a composite ‘‘3’’
rated information technology function
has performance that is flawed to some
degree and is considered to be of below
average quality, while under the UFIRS
a composite ‘‘3’’ rated bank or service
provider exhibits some degree of
supervisory concern due to a
combination of weaknesses that may
range from moderate to severe. The
proposed revision brings the URSIT in
line with the language and tone of the
UFIRS.
3. Component Reorganization
The current rating system has four
components: (1) Audit; (2) Management;
(3) Systems Development and
Programming; and (4) Operations. The
FFIEC is proposing to replace the
current ‘‘Systems Development and
Programming’’ and ‘‘Operations’’
components with two new component
categories, ‘‘Development and
Acquisition’’, and ‘‘Support and
Delivery’’. The new components will
address all areas assessed in the current
Systems Development and Programming
and Operations components. In
addition, the new components will
provide a more effective framework for
the risks encountered in distributed
processing environments and emerging
technology.
4. Composite Rating Definitions
The FFIEC is proposing changes in
the composite rating definitions to
parallel the changes in the component
rating descriptions. Under the FFIEC’s
proposal, the revised composite rating
definitions would contain an explicit
reference to the quality of overall risk
management practices. The basic
context of the existing composite rating
definitions is being retained. The
composite rating would continue to be
based on a careful evaluation of an
institution’s or service provider’s ability
to monitor, manage, develop, acquire,
support and deliver information
technology services.
5. Risk Management
The FFIEC is proposing that the
revised rating system emphasize risk
management processes. Changes in
information technology have broadened
the range of products and services
offered. These trends reinforce the
importance of institutions having sound
risk management processes.
Accordingly, the revised rating system
would contain language in each of the
components emphasizing the
consideration of processes to identify,
measure, monitor, and control risks.
Request for Comments
The FFIEC requests comment on the
proposed revisions to the URSIT (‘‘the
proposal’’). In particular, the FFIEC
invites comments on the following
questions:
1. Does the proposal capture the
essential risk areas of information
technology?
2. Does the proposal adequately
address distributed processing
environments, as well as centralized
processing environments?
3. Does the proposal adequately
address risks to financial institutions
that process their data in-house as well
as to data processing service providers?
4. Are the definitions for the
individual components and the
composite numerical ratings in the
proposal consistent with the language
and tone of the UFIRS definitions?
5. Are there any components which
should be added to or deleted from the
proposal?
6. Given the trend toward the
integration of safety and soundness and
information technology examination
functions by the federal supervisory
agencies, does a separate rating system
for information technology continue to
be useful?
Text of the Revised Uniform Rating
System for Information Technology
Uniform Rating System for Information
Technology
Introduction
The quality, reliability, and integrity
of a financial institution’s or service
provider’s information technology (IT)
affect all aspects of its performance. An
assessment of the technology risk
management framework is necessary
whether or not the institution itself or
a third-party service provider manages
these operations. The Uniform Rating
System for Information Technology
(URSIT) is an internal rating system
used by federal and state regulators to
uniformly assess financial institution
and service provider risks introduced by
IT. It also allows the regulators to
identify those insured institutions and
service providers whose information
technology risk exposure requires
special supervisory attention. The rating
system includes component and
composite rating descriptions and the
explicit identification of risks and
assessment factors that might be
considered in assigning component
ratings. Additionally, information
technology can affect the risks
associated with financial institutions.
For each IT rating component the effect
on credit, operational, market,
reputation, strategic, and compliance
risks should be considered.
The purpose of the rating system is to
identify those entities whose risk
exposure requires special supervisory
attention. This rating system assists
examiners in making an assessment of
risk and compiling examination
findings. However, the rating system
does not drive the scope of an
examination. Examiners should use the
rating system to help evaluate the
entity’s overall risk exposure, and
determine the degree of supervisory
attention believed necessary to ensure
that weaknesses are addressed and that
risk is properly managed.
Overview
The URSIT is based on a risk
evaluation of four critical components:
Audit, Management, Development and
Acquisition, and Support and Delivery
(AMDS). These components, when
combined, are used to assess the overall
performance of IT within an
organization. Examiners evaluate the
functions identified within each
component to assess the institution’s
ability to identify, measure, monitor and
control information technology risks.
Each organization examined for IT is
assigned a summary or composite rating
based on the overall results of the
evaluation. The IT composite rating and
each component rating are based on a
scale of ‘‘1’’ through ‘‘5’’ in ascending
order of supervisory concern; ‘‘1’’
representing the highest rating and least
degree of concern, and ‘‘5’’ representing
the lowest rating and highest degree of
concern.
The first step in developing an IT
composite rating for an organization is
the assignment of a performance rating
to the individual AMDS components.
The evaluation of each of these
components, their interrelationships,
and relative importance is the basis for
the composite rating. The composite
rating is derived by making a qualitative
summarization of all of the AMDS
components. A direct relationship exists
between the composite rating and the
individual AMDS component