On May 13, 2022, the FFIEC published an entry to the IT Examination Handbook Infobase What's New page stating that they had rescinded the E-Banking booklet. If you're anything like me, you may be asking questions like "why" and "what am I expected to do now?" If that's you, you've come to the right place. Let's answer those questions.

What does "rescinded" mean?

In the context of what the FFIEC did to this booklet, "rescinded" essentially means they archived it and will likely not include the booklet in future examinations. While the E-Banking booklet was originally listed on the Archived Booklets page after this announcement, it is no longer listed there. However, the now rescinded E-Banking booklet can still be accessed via their website here.

Why was the booklet rescinded?

According to the FFIEC, they are changing the approach they use to write the booklets. Historically, the FFIEC has taken a topical approach to their guidance. For example, they would write guidance for specific systems like electronic banking (e-banking).

The problem with writing a topical booklet is that it offers limited scalability, and appropriate updates are a challenge to manage with how quickly technology changes and how varied it can be. It would be difficult for the FFIEC to write a booklet for every form of technology used by a financial institution, especially in the age of emerging technologies.

What are they doing instead?

The FFIEC said they are shifting the focus of the IT Handbook and now plan to write booklets using a "principles-based" approach. What this seems to mean is that they will likely not write a booklet for every topic or technology. Instead, they'll write booklets focused on principles and those principles may be applied across all areas of the business. We have already seen this method exercised with booklets like the Information Security booklet and more recently, the Architecture, Infrastructure, and Operations booklet.

Will other booklets be rescinded?

It's hard to say. The E-Banking booklet was originally published in 2003 and had not been updated since that time. I think we can all agree, electronic banking does not look the same today as it did when the booklet was published. So, the agencies found themselves asking, "to update or not update?" They chose "not" in favor of focusing on providing more "accurate and resilient content."

What is left to be seen is if they will choose the same when they review other topical booklets, such as the Retail Payment Systems booklet or the Wholesale Payment Systems booklet. Only time will tell.

Where are the E-Banking booklet's concepts addressed now?

Concepts from the E-Banking booklet are already addressed in a variety of other guidance from the FFIEC, including:

What do I need to do?

In theory, the E-Banking booklet's removal would indicate there is now less for you to do, right? Well, not necessarily. The best thing to do is make sure the current guidelines from the principles-based booklets are enacted thoroughly for all systems, including e-banking systems.

For example, when the AIO booklet provides guidance on hardware, network and telecommunications, software, etc., the question needs to be asked, "Do our e-banking systems need updating in light of this guidance?"

This is a step away from a "compliance" mindset ("I have to do this because the booklet says so.") and a step into a "risk management" mindset, determining which practices are best suited for your business. It will require more effort, but will also make the organization more secure.

What's next?

If you would like assistance in improving your electronic banking systems, check out Tandem Internet Banking Security. This product is designed to help you perform risk assessments over your internet banking systems, as well as provide you with some customer education resource templates. Learn more at Tandem.App/Internet-Banking-Risk-Assessment-and-Security-Software.

 

Update: This blog was updated on 12/06/2022 to revise references to the Archived Booklets page, as the E-Banking booklet is no longer listed there.