On May 13, 2022, the FFIEC published an entry to the IT Examination Handbook Infobase What's New page stating that they had rescinded the E-Banking booklet. If you're anything like me, you may be asking questions like "why" and "what am I expected to do now?" If that's you, you've come to the right place. Let's answer those questions.

What does "rescinded" mean?

In the context of what the FFIEC did to this booklet, "rescinded" means they essentially archived it and will no longer include it as part of future examinations. The E-Banking booklet can still be accessed on their website under the Archived Booklets section. The big difference is, unlike the other booklets listed on this page, they do not intend to release the E-Banking booklet with any future iterations.

Why was the booklet rescinded?

According to the FFIEC, they are changing the approach they use to write the booklets. Historically, the FFIEC has taken a topical approach to their booklets. For example, they would write guidance for specific systems like electronic banking (e-banking).

The problem with writing topical booklets is that it is not scalable, and appropriate updates are difficult to manage with how quickly technology changes. There is no way the FFIEC could write a booklet for every form of technology used by a financial institution, especially in the age of emerging technologies.

What are they doing instead?

The FFIEC said they now plan to write "principles-based" booklets. What this means is they won't write a booklet for every topic or technology. Instead, they'll write booklets focused on principles and those principles may be applied across all areas of the business. We have already seen this method exercised with booklets like the Information Security booklet and more recently, the Architecture, Infrastructure, and Operations booklet.

Will other booklets be rescinded?

It's hard to say. The E-Banking booklet was originally published in 2003 and had not been updated since that time. I think we can all agree, electronic banking does not look the same today as it did when the booklet was published. So, the agencies found themselves asking, "to update or not update?" They chose "not" in favor of focusing on writing more widely applicable guidance.

What is left to be seen is if they will choose the same when they review other topical booklets, such as the Retail Payment Systems booklet or the Wholesale Payment Systems booklet. Only time will tell.

Where are the E-Banking booklet's concepts addressed now?

Concepts from the E-Banking booklet are already addressed in a variety of other guidance from the FFIEC, including:

What do I need to do?

In theory, the E-Banking booklet's removal would indicate there is now less for you to do, right? Well, not necessarily. The best thing to do is make sure the current guidelines from the principles-based booklets are enacted thoroughly for all systems, including e-banking systems.

For example, when the AIO booklet provides guidance on hardware, network and telecommunications, software, etc., the question needs to be asked, "Do our e-banking systems need updating in light of this guidance?"

This is a step away from a "compliance" mindset ("I have to do this because the booklet says so.") and a step into a "risk management" mindset, determining which practices are best suited for your business. It will require more effort, but will also make the organization more secure.

What's next?

If you would like assistance in improving your electronic banking systems, check out Tandem Internet Banking Security. This product is designed to help you perform risk assessments over your internet banking systems, as well as provide you with some customer education resource templates. Learn more at Tandem.App/Internet-Banking-Risk-Assessment-and-Security-Software.