3109Federal Register / Vol. 64, No. 12 / Wednesday, January 20, 1999 / Notices
FEDERAL FINANCIAL INSTITUTIONS
EXAMINATION COUNCIL
Uniform Rating System for Information
Technology
AGENCY: Federal Financial Institutions
Examination Council.
ACTION: Notice.
SUMMARY: The Federal Financial
Institutions Examination Council
(FFIEC) revised the Uniform Interagency
Rating System for Data Processing
Operations, commonly referred to as the
Information Systems (IS) rating system.
The revision changed the name of the
rating system to the Uniform Rating
System for Information Technology
(URSIT) and reflects changes that have
occurred in the data processing services
industry and in supervisory policies and
procedures since the rating system was
first adopted in 1978. The revised
numerical ratings conform to the
language and tone of the Uniform
Financial Institution Rating System
(UFIRS) rating definitions, commonly
referred to as the CAMELS rating
system; reformatted and clarified the
component rating descriptions;
emphasized the quality of risk
management processes in each of the
rating components; added two new
component categories, ‘‘Development
and Acquisition’’, and ‘‘Support and
Delivery’’ as replacements for ‘‘Systems
Development and Programming’’, and
‘‘Operations’’; and explicitly identified
the risk types that are considered in
assigning component ratings.
The term ‘‘financial institution’’ refers
to those FDIC insured depository
institutions whose primary Federal
supervisory agency is represented on
the FFIEC, Bank Holding Companies,
Branches and Agencies of Foreign
Banking Organizations, and Thrifts. The
term ‘‘service provider’’ refers to
organizations that provide data
processing services to financial
institutions. Uninsured trust companies
that are chartered by the Office of the
Comptroller of the Currency (OCC),
members of the Federal Reserve System,
or subsidiaries of registered bank
holding companies or insured
depository institutions are also covered
by this action.
FOR FURTHER INFORMATION CONTACT:
FRB: Charles Blaine Jones,
Supervisory EDP Analyst, Specialized
Activities, (202) 452–3759, Division of
Banking Supervision and Regulation,
Board of Governors of the Federal
Reserve System, Mail Stop 175, 20th
and C Streets, NW, Washington, D.C.
20551.
FDIC: Stephen A. White, Review
Examiner (Information Systems), (202)
898–6923, Division of Supervision,
Federal Deposit Insurance Corporation,
Room F–6010, 550 17th Street, NW,
Washington, D.C. 20429.
OCC: Robert J. Hemming, National
Bank Examiner, (202) 874–4929, Bank
Technology Unit, Office of the
Comptroller of the Currency, Mail Stop
7–8, 250 E Street, SW, Washington, D.C.
20219.
OTS: Jennifer Dickerson, Program
Manager, Information System
Examinations, Compliance Policy, (202)
906–5631, Office of Thrift Supervision,
1700 G Street, NW, Washington, D.C.
20552.
SUPPLEMENTARY INFORMATION:
Background Information
On June 9, 1998, the FFIEC published
a notice in the Federal Register (June
Notice), 63 FR 31468–31475, requesting
comment on proposed revisions to the
Uniform Interagency Rating System for
Data Processing Operations. This rating
system is an internal supervisory
examination rating system used by
federal and state regulators to assess
uniformly financial institution and
service provider risks introduced by
information technology and for
identifying those institutions and
service providers requiring special
supervisory attention. The current rating
system was adopted in 1978 by the
OCC, OTS, FDIC and FRB, and is
commonly referred to as the IS rating
system. Under the IS rating system, each
financial institution or service provider
is assigned a composite rating based on
an evaluation and rating of four
essential components of an institution’s
information technology activities. These
components address the following: the
adequacy of the information technology
audit function; the capability of
information technology management;
the adequacy of systems development
and programming; and the quality,
reliability, availability and integrity of
information technology operations. The
composite and component ratings are
assigned on a ‘‘1’’ to ‘‘5’’ numerical
scale. A rating of ‘‘1’’ indicates the
strongest performance and management
practices and the least degree of
supervisory concern, while a rating of
‘‘5’’ indicates the weakest performance
and management practices and,
therefore, the highest degree of
supervisory concern.
The IS rating system has proven to be
an effective means for the federal and
state supervisory agencies to assist
examiners in determining the condition
of an institution’s or service provider’s
information technology function. A
number of changes, however, have
occurred in information technology and
in supervisory policies and procedures
since the rating system was first
adopted. As a result the FFIEC is
renaming the rating system to the
Uniform Rating System for Information
Technology (URSIT) and making certain
enhancements to the rating system,
while retaining its basic framework. The
URSIT enhancements:
b Realign the URSIT rating
definitions to bring them in line with
UFIRS.
b Replace the current ‘‘Systems
Development and Programming’’ and
‘‘Operations’’ components with two new
component categories, ‘‘Development
and Acquisition’’ and ‘‘Support and
Delivery’’.
b Reinforce the importance of risk
management processes with language in
each of the rating components
emphasizing the consideration of
processes to identify, measure, monitor,
and control risks.
Comments Received and Changes Made
The FFIEC received eight comments
regarding the proposed revisions to the
URSIT. Three of the comments were
from banks and credit unions, two from
third party service providers, two from
financial institution trade associations,
and one from a technology vendor.
Examiners field-tested the revised
rating system during bank and thrift
information system examinations
conducted between June and August
1998. The examiners provided
comments regarding the revised rating
system. Examiner responses were
generally favorable, and no significant
problems or unanticipated rating
differences were encountered between
the former and updated rating system.
The FFIEC carefully considered each
comment and examiner response and
made certain changes. The following
discussion describes the comments
received (both through public comment
and agency field-testing) and changes
made to the URSIT in response to those
comments. The updated URSIT is
included at the end of this Notice.
June Notice Specific Questions
In addition to requesting general
comments regarding the proposed
system, the FFIEC invited comments on
six specific questions:
1. Does the proposal capture the
essential risk areas of information
technology?
The majority of the responses to this
question were positive, and no changes
were made. One commenter expressed
concerns that the significance of
contingency planning in maintaining
FEDERAL FINANCIAL INSTITUTIONS
EXAMINATION COUNCIL
Uniform Rating System for Information
Technology
AGENCY: Federal Financial Institutions
Examination Council.
ACTION: Notice.
SUMMARY: The Federal Financial
Institutions Examination Council
(FFIEC) revised the Uniform Interagency
Rating System for Data Processing
Operations, commonly referred to as the
Information Systems (IS) rating system.
The revision changed the name of the
rating system to the Uniform Rating
System for Information Technology
(URSIT) and reflects changes that have
occurred in the data processing services
industry and in supervisory policies and
procedures since the rating system was
first adopted in 1978. The revised
numerical ratings conform to the
language and tone of the Uniform
Financial Institution Rating System
(UFIRS) rating definitions, commonly
referred to as the CAMELS rating
system; reformatted and clarified the
component rating descriptions;
emphasized the quality of risk
management processes in each of the
rating components; added two new
component categories, ‘‘Development
and Acquisition’’, and ‘‘Support and
Delivery’’ as replacements for ‘‘Systems
Development and Programming’’, and
‘‘Operations’’; and explicitly identified
the risk types that are considered in
assigning component ratings.
The term ‘‘financial institution’’ refers
to those FDIC insured depository
institutions whose primary Federal
supervisory agency is represented on
the FFIEC, Bank Holding Companies,
Branches and Agencies of Foreign
Banking Organizations, and Thrifts. The
term ‘‘service provider’’ refers to
organizations that provide data
processing services to financial
institutions. Uninsured trust companies
that are chartered by the Office of the
Comptroller of the Currency (OCC),
members of the Federal Reserve System,
or subsidiaries of registered bank
holding companies or insured
depository institutions are also covered
by this action.
FOR FURTHER INFORMATION CONTACT:
FRB: Charles Blaine Jones,
Supervisory EDP Analyst, Specialized
Activities, (202) 452–3759, Division of
Banking Supervision and Regulation,
Board of Governors of the Federal
Reserve System, Mail Stop 175, 20th
and C Streets, NW, Washington, D.C.
20551.
FDIC: Stephen A. White, Review
Examiner (Information Systems), (202)
898–6923, Division of Supervision,
Federal Deposit Insurance Corporation,
Room F–6010, 550 17th Street, NW,
Washington, D.C. 20429.
OCC: Robert J. Hemming, National
Bank Examiner, (202) 874–4929, Bank
Technology Unit, Office of the
Comptroller of the Currency, Mail Stop
7–8, 250 E Street, SW, Washington, D.C.
20219.
OTS: Jennifer Dickerson, Program
Manager, Information System
Examinations, Compliance Policy, (202)
906–5631, Office of Thrift Supervision,
1700 G Street, NW, Washington, D.C.
20552.
SUPPLEMENTARY INFORMATION:
Background Information
On June 9, 1998, the FFIEC published
a notice in the Federal Register (June
Notice), 63 FR 31468–31475, requesting
comment on proposed revisions to the
Uniform Interagency Rating System for
Data Processing Operations. This rating
system is an internal supervisory
examination rating system used by
federal and state regulators to assess
uniformly financial institution and
service provider risks introduced by
information technology and for
identifying those institutions and
service providers requiring special
supervisory attention. The current rating
system was adopted in 1978 by the
OCC, OTS, FDIC and FRB, and is
commonly referred to as the IS rating
system. Under the IS rating system, each
financial institution or service provider
is assigned a composite rating based on
an evaluation and rating of four
essential components of an institution’s
information technology activities. These
components address the following: the
adequacy of the information technology
audit function; the capability of
information technology management;
the adequacy of systems development
and programming; and the quality,
reliability, availability and integrity of
information technology operations. The
composite and component ratings are
assigned on a ‘‘1’’ to ‘‘5’’ numerical
scale. A rating of ‘‘1’’ indicates the
strongest performance and management
practices and the least degree of
supervisory concern, while a rating of
‘‘5’’ indicates the weakest performance
and management practices and,
therefore, the highest degree of
supervisory concern.
The IS rating system has proven to be
an effective means for the federal and
state supervisory agencies to assist
examiners in determining the condition
of an institution’s or service provider’s
information technology function. A
number of changes, however, have
occurred in information technology and
in supervisory policies and procedures
since the rating system was first
adopted. As a result the FFIEC is
renaming the rating system to the
Uniform Rating System for Information
Technology (URSIT) and making certain
enhancements to the rating system,
while retaining its basic framework. The
URSIT enhancements:
b Realign the URSIT rating
definitions to bring them in line with
UFIRS.
b Replace the current ‘‘Systems
Development and Programming’’ and
‘‘Operations’’ components with two new
component categories, ‘‘Development
and Acquisition’’ and ‘‘Support and
Delivery’’.
b Reinforce the importance of risk
management processes with language in
each of the rating components
emphasizing the consideration of
processes to identify, measure, monitor,
and control risks.
Comments Received and Changes Made
The FFIEC received eight comments
regarding the proposed revisions to the
URSIT. Three of the comments were
from banks and credit unions, two from
third party service providers, two from
financial institution trade associations,
and one from a technology vendor.
Examiners field-tested the revised
rating system during bank and thrift
information system examinations
conducted between June and August
1998. The examiners provided
comments regarding the revised rating
system. Examiner responses were
generally favorable, and no significant
problems or unanticipated rating
differences were encountered between
the former and updated rating system.
The FFIEC carefully considered each
comment and examiner response and
made certain changes. The following
discussion describes the comments
received (both through public comment
and agency field-testing) and changes
made to the URSIT in response to those
comments. The updated URSIT is
included at the end of this Notice.
June Notice Specific Questions
In addition to requesting general
comments regarding the proposed
system, the FFIEC invited comments on
six specific questions:
1. Does the proposal capture the
essential risk areas of information
technology?
The majority of the responses to this
question were positive, and no changes
were made. One commenter expressed
concerns that the significance of
contingency planning in maintaining
3110 Federal Register / Vol. 64, No. 12 / Wednesday, January 20, 1999 / Notices
1 Federal Financial Institutions Examination
Council, Information Systems Examination
Handbook, 1996.
mission-critical applications in the
event of a computer system failure was
not adequately addressed. This concern
is addressed later in this Notice under
Contingency Planning.
2. Does the proposal adequately
address distributed processing
environments, as well as centralized
processing environments?
The majority of the responses to this
question were positive. Two
commenters expressed concerns that the
proposal did not adequately address
distributed processing environments.
One commenter recommended that
specific language be used to emphasize
network security issues, electronic
commerce, and Internet controls. The
FFIEC has added language to the
Support and Delivery component to
explicitly include electronic commerce
and the Internet. One commenter
expressed concerns that the proposal
does not address the complexities and
risks of contingency planning and data
recovery in a distributed processing
environment. This concern is addressed
later in this Notice under Data
Processing Service Providers and
Contingency Planning.
3. Does the proposal adequately
address risks to financial institutions
that process their data in-house as well
as to data processing service providers?
The majority of responses to this
question were positive. Three
commenters noted concerns regarding
the proposal’s adequacy to address risks
to data processing service providers.
This concern is addressed later in this
Notice under Data Processing Service
Providers.
4. Are the definitions for the
individual components and the
composite numerical ratings in the
proposal consistent with the language
and tone of the UFIRS definitions?
The majority of responses to this
question were positive. Two
commenters recommended revisions in
the language of the proposal to make it
more consistent with UFIRS. The FFIEC
made additional changes in the
language of the URSIT to make it more
consistent with UFIRS.
5. Are there any components which
should be added to or deleted from the
proposal?
The majority of the responses to this
question were negative. One commenter
recommended that a fifth component
entitled ‘‘Contingency Planning’’ be
added to the URSIT. This
recommendation is addressed later in
this Notice under Contingency
Planning.
6. Given the trend toward the
integration of safety and soundness and
information technology examination
functions by the federal supervisory
agencies, does a separate rating system
for information technology continue to
be useful?
The majority of the responses to this
question were positive, and no changes
were made. One commenter suggested
that the integration of the examination
functions deserve more study. This
commenter expressed a concern that the
convergence of information technology
applications to the operation of the
payments system is likely to result in
considerable duplication in the
examination process and an
inconsistent evaluation of risk
management procedures for information
technology activities and payments
system risk. The FFIEC is working
toward the integration of the safety and
soundness and information technology
examination functions. This concern is
addressed later in this notice under Risk
Management.
Data Processing Service Providers
Two commenters expressed concerns
that the URSIT provides little guidance
regarding the differentiation of data
processing service providers whose
operations vary by size and complexity.
The FFIEC designed the rating system so
that examiners could adapt its concepts
to entities of various size and
complexity. Examination strategies and
objectives are written based on the
guidelines in the FFIEC Information
Systems Examination Handbook 1 (IS
Handbook). Specifically for data
processing service providers this
guidance is contained in Chapter 22 of
the IS Handbook and generally for all
entities in Chapters 2 through 5. The
FFIEC oversees the application of the
URSIT through its Information Systems
Subcommittee. Future editions of the
FFIEC IS Handbook will be reviewed
and edited to ensure it continues to
provide appropriate guidance for the
application of the URSIT to all data
processing service providers.
One commenter expressed a concern
that the URSIT does not adequately
address what banks, who use data
processing service providers, should do
in situations where their control is
limited. Guidance for banks who receive
data processing services is available
from Chapter 22 of the FFIEC IS
Handbook. This chapter specifically
addresses control and administration
issues in contracting with and
monitoring service providers. The
FFIEC designed the URSIT so that
examiners could apply the concepts of
the rating system to institutions who
perform their data processing in-house
as well as to those institutions who
outsource this function to a third-party.
The flexibility of the URSIT allows an
examiner to include, within the scope of
examination, the appropriate
requirements and exclude those
requirements that do not apply.
Risk Management
The revised rating system reflects an
increased emphasis on risk management
processes. One commenter expressed
concern about whether the increased
emphasis on risk management in the
URSIT will be implemented and applied
in a manner that is consistent with risk
management principles articulated in
other bank supervision initiatives,
particularly those dealing with
payments system risk. The FFIEC is
working toward the integration of the
safety and soundness and information
technology examination functions. The
future implementation of an integrated
examination process by the FFIEC will
need to address the consistent
application of risk management
principles and oversight of information
technology activities and other
operational areas. Accordingly, the
FFIEC will review the URSIT
periodically to ensure its compatibility
with the evolving examination process.
In the interim, the assessment of
information technology risk
management is guided by Chapter 2 of
the FFIEC IS Handbook and other policy
statements deemed appropriate.
Contingency Planning
One commenter suggested that the
URSIT should formally address
contingency planning guidelines under
a separate rating to assess an
institution’s ability to quickly recover
from a major disruption without risking
a loss of its data. The commenter
suggested the URSIT should include
ratings that reflect a more
comprehensive assessment of an
institution’s contingency plan and that
they should define the time needed for
an institution to resume core
applications.
The FFIEC agrees that contingency
planning and business resumption is
important to the viability of any
financial institution. To supervise and
assess these activities, the FFIEC’s
revised interagency policy on Corporate
Business Resumption and Contingency
Planning (SP–5) provides general
policies for financial institutions. This
policy establishes goals and
accountability for contingency planning
and defines a financial institution’s
responsibilities regarding contingency
1 Federal Financial Institutions Examination
Council, Information Systems Examination
Handbook, 1996.
mission-critical applications in the
event of a computer system failure was
not adequately addressed. This concern
is addressed later in this Notice under
Contingency Planning.
2. Does the proposal adequately
address distributed processing
environments, as well as centralized
processing environments?
The majority of the responses to this
question were positive. Two
commenters expressed concerns that the
proposal did not adequately address
distributed processing environments.
One commenter recommended that
specific language be used to emphasize
network security issues, electronic
commerce, and Internet controls. The
FFIEC has added language to the
Support and Delivery component to
explicitly include electronic commerce
and the Internet. One commenter
expressed concerns that the proposal
does not address the complexities and
risks of contingency planning and data
recovery in a distributed processing
environment. This concern is addressed
later in this Notice under Data
Processing Service Providers and
Contingency Planning.
3. Does the proposal adequately
address risks to financial institutions
that process their data in-house as well
as to data processing service providers?
The majority of responses to this
question were positive. Three
commenters noted concerns regarding
the proposal’s adequacy to address risks
to data processing service providers.
This concern is addressed later in this
Notice under Data Processing Service
Providers.
4. Are the definitions for the
individual components and the
composite numerical ratings in the
proposal consistent with the language
and tone of the UFIRS definitions?
The majority of responses to this
question were positive. Two
commenters recommended revisions in
the language of the proposal to make it
more consistent with UFIRS. The FFIEC
made additional changes in the
language of the URSIT to make it more
consistent with UFIRS.
5. Are there any components which
should be added to or deleted from the
proposal?
The majority of the responses to this
question were negative. One commenter
recommended that a fifth component
entitled ‘‘Contingency Planning’’ be
added to the URSIT. This
recommendation is addressed later in
this Notice under Contingency
Planning.
6. Given the trend toward the
integration of safety and soundness and
information technology examination
functions by the federal supervisory
agencies, does a separate rating system
for information technology continue to
be useful?
The majority of the responses to this
question were positive, and no changes
were made. One commenter suggested
that the integration of the examination
functions deserve more study. This
commenter expressed a concern that the
convergence of information technology
applications to the operation of the
payments system is likely to result in
considerable duplication in the
examination process and an
inconsistent evaluation of risk
management procedures for information
technology activities and payments
system risk. The FFIEC is working
toward the integration of the safety and
soundness and information technology
examination functions. This concern is
addressed later in this notice under Risk
Management.
Data Processing Service Providers
Two commenters expressed concerns
that the URSIT provides little guidance
regarding the differentiation of data
processing service providers whose
operations vary by size and complexity.
The FFIEC designed the rating system so
that examiners could adapt its concepts
to entities of various size and
complexity. Examination strategies and
objectives are written based on the
guidelines in the FFIEC Information
Systems Examination Handbook 1 (IS
Handbook). Specifically for data
processing service providers this
guidance is contained in Chapter 22 of
the IS Handbook and generally for all
entities in Chapters 2 through 5. The
FFIEC oversees the application of the
URSIT through its Information Systems
Subcommittee. Future editions of the
FFIEC IS Handbook will be reviewed
and edited to ensure it continues to
provide appropriate guidance for the
application of the URSIT to all data
processing service providers.
One commenter expressed a concern
that the URSIT does not adequately
address what banks, who use data
processing service providers, should do
in situations where their control is
limited. Guidance for banks who receive
data processing services is available
from Chapter 22 of the FFIEC IS
Handbook. This chapter specifically
addresses control and administration
issues in contracting with and
monitoring service providers. The
FFIEC designed the URSIT so that
examiners could apply the concepts of
the rating system to institutions who
perform their data processing in-house
as well as to those institutions who
outsource this function to a third-party.
The flexibility of the URSIT allows an
examiner to include, within the scope of
examination, the appropriate
requirements and exclude those
requirements that do not apply.
Risk Management
The revised rating system reflects an
increased emphasis on risk management
processes. One commenter expressed
concern about whether the increased
emphasis on risk management in the
URSIT will be implemented and applied
in a manner that is consistent with risk
management principles articulated in
other bank supervision initiatives,
particularly those dealing with
payments system risk. The FFIEC is
working toward the integration of the
safety and soundness and information
technology examination functions. The
future implementation of an integrated
examination process by the FFIEC will
need to address the consistent
application of risk management
principles and oversight of information
technology activities and other
operational areas. Accordingly, the
FFIEC will review the URSIT
periodically to ensure its compatibility
with the evolving examination process.
In the interim, the assessment of
information technology risk
management is guided by Chapter 2 of
the FFIEC IS Handbook and other policy
statements deemed appropriate.
Contingency Planning
One commenter suggested that the
URSIT should formally address
contingency planning guidelines under
a separate rating to assess an
institution’s ability to quickly recover
from a major disruption without risking
a loss of its data. The commenter
suggested the URSIT should include
ratings that reflect a more
comprehensive assessment of an
institution’s contingency plan and that
they should define the time needed for
an institution to resume core
applications.
The FFIEC agrees that contingency
planning and business resumption is
important to the viability of any
financial institution. To supervise and
assess these activities, the FFIEC’s
revised interagency policy on Corporate
Business Resumption and Contingency
Planning (SP–5) provides general
policies for financial institutions. This
policy establishes goals and
accountability for contingency planning
and defines a financial institution’s
responsibilities regarding contingency