Regulatory Alerts2021-06-30
SR 21-11: FFIEC Architecture, Infrastructure, and Operations Examination Handbook
The Federal Reserve issued SR 21-11 to direct supervised institutions to adopt the newly published FFIEC Architecture, Infrastructure, and Operations (AIO) booklet. This new handbook replaces the 2004 Operations Booklet and establishes enterprise-wide principles for IT design, infrastructure implementation, and service delivery to ensure safety, soundness, and regulatory compliance. Reserve Banks are instructed to distribute this guidance to all supervised organizations and appropriate supervisory staff within their districts.
Page 1 of 2 BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D.C. 20551 DIVISION OF SUPERVISION AND REGULATION SR 21-11 June 30, 2021 TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK SUBJECT: FFIEC Architecture, Infrastructure, and Operations Examination Handbook Applicability: This letter applies to all institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets. The Federal Financial Institutions Examination Council (FFIEC) has published the “Architecture, Infrastructure, and Operations” (AIO) booklet. The AIO booklet is one in a series of 11 booklets that comprise the FFIEC Information Technology Examination Handbook (IT Handbook). The AIO booklet replaces the current Operations Booklet, which was published in July 2004. This booklet focuses on enterprise-wide, process-oriented approaches that consider the design of technology within the overall business structure (Architecture), implementation of IT infrastructure components (Infrastructure), and delivery of services and value for customers (Operations). It discusses the following: • Principles and practices for IT and operations for safety and soundness, consumer financial protection, and compliance with applicable laws and regulations. • Processes for addressing risk related to the design and implementation of IT systems. • Principles to help examiners evaluate the delivery of financial products and services. • Management oversight of AIO and its related components, including governance; common risk management topics; specific activities of architecture, infrastructure, and operations; and evolving technologies that examiners may encounter during their reviews of AIO. The AIO booklet and the other booklets in the IT Handbook are available on the FFIEC website at: https://ithandbook.ffiec.gov/it-booklets.aspx. Reserve Banks are asked to distribute this letter to the supervised organizations in their districts and to appropriate supervisory staff.
Page 2 of 2 In addition, institutions may send questions via the Board’s public website.1 Michael S. Gibson Director Division of Supervision and Regulation 1 See http://www.federalreserve.gov/apps/contactus/feedback.aspx