Appendix D: References

Sources


Laws

Resource TitleTypeDate
12 U.S.C. 95(b) / 1463(a) / 3102(b), "Comptroller Authority to Declare a Legal Holiday"Law
12 U.S.C. 1464, "Home Owners' Loan Act"Law
12 U.S.C. 1831r-1, "Notice of Branch Closure"Law
12 U.S.C. 1861–1867, "Bank Service Company Act"Law
12 U.S.C. 1882, "Bank Protection Act"Law
12 U.S.C. 3352, "Emergency Exceptions for Disaster Areas"Law
15 U.S.C. 6801 and 6805(b), "Gramm–Leach–Bliley Act"Law
18 U.S.C. 1030, "Fraud and Related Activity in Connection With Computers"Law

Consumer Financial Protection Bureau

Resource TitleTypeDate
CFPB Statement on Supervisory Practices Regarding Financial Institutions and Consumers Affected by a Major Disaster or Emergency (September 2018)GuidanceSeptember 2018
CFPB Compliance Bulletin and Policy Guidance; 2016-02, Service Providers (October 2016)GuidanceOctober 2016

Federal Reserve

Resource TitleTypeDate
12 CFR 208, Appendix D-1, "Interagency Guidelines Establishing Standards for Safety and Soundness"Regulation
12 CFR 208, Appendix D-2, "Interagency Guidelines Establishing Information Security Standards (State Member Banks)"Regulation
12 CFR 225, Appendix F, "Interagency Guidelines Establishing Information Security Standards"Regulation
SR Letter 16-11, "Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $50 Billion" (June 2016)GuidanceJune 2016
SR Letter 15-10 / CA Letter 15-8, "Expansion of the Federal Reserve’s Emergency Communications System" (October 2015)GuidanceOctober 2015
SR Letter 15-9, "FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors" (July 2, 2015)GuidanceJuly 2, 2015
SR Letter 13-16, "End of Microsoft Support for Windows XP Operating System" (October 2013)GuidanceOctober 2013
SR Letter 13-19 / CA Letter 13-21, "Guidance on Managing Outsourcing Risk" (April 2013)GuidanceApril 2013
SR Letter 13-6 / CA Letter 13-3, "Supervisory Practices Regarding Banking Organizations and Their Borrowers and Other Customers Affected by a Major Disaster or Emergency" (March 2013)GuidanceMarch 2013
SR Letter 12-14, "Revised Guidance on Supervision of Technology Service Providers" (October 2012)GuidanceOctober 2012
SR Letter 10-13, "Interagency Supervisory Guidance for Institutions Affected by the Deepwater Horizon Oil Spill" (October 2010)GuidanceOctober 2010
SR Letter 07-18, "FFIEC Guidance on Pandemic Planning" (December 12, 2007)GuidanceDecember 12, 2007
SR Letter 06-5, "Influenza Pandemic Preparedness" (March 15, 2006)GuidanceMarch 15, 2006
SR Letter 06-3, "Interagency Supervisory Guidance for Institutions Affected by Hurricane Katrina" (February 3, 2006)GuidanceFebruary 3, 2006
SR Letter 05-24, "Interagency Questions and Answers for Financial Institutions in Response to Hurricanes Katrina and Rita" (December 2, 2005)GuidanceDecember 2, 2005
SR Letter 05-17, “Katrina Related Marketing Practices Invoking the Name of the Federal Reserve” (September 22, 2005)GuidanceSeptember 22, 2005
SR Letter 05-16, "Supervisory Practices Regarding Banking Organizations and Consumers Affected by Hurricane Katrina" (September 15, 2005)GuidanceSeptember 15, 2005
SR Letter 03-9, "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System" (May 28, 2003)GuidanceMay 28, 2003

Federal Deposit Insurance Corporation

Resource TitleTypeDate
12 CFR 304.3(d), "Notification of Performance of Bank Services, Form FDIC 6120/06"Regulation
12 CFR 364, Appendix A "Interagency Guidelines Establishing Standards for Safety and Soundness"Regulation
12 CFR 364, Appendix B "Interagency Guidelines Establishing Information Security Standards"Regulation
12 CFR 364, Supplement A to Appendix B "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice"Regulation
FIL-19-2019, "Technology Service Provider Contracts" (April 2, 2019)GuidanceApril 2, 2019
FIL-63-2018, "Cybersecurity Preparedness Resource" (October 19, 2018)GuidanceOctober 19, 2018
FIL-62-2017, "Major Disaster Examiner Guidance" (December 15, 2017)GuidanceDecember 15, 2017
FIL-68-2016, "FFIEC Cybersecurity Assessment Tool: Frequently Asked Questions" (October 18, 2016)GuidanceOctober 18, 2016
FIL-43-2016, "Information Technology Risk Examination (InTREx) Program" (June 30, 2016)GuidanceJune 30, 2016
FIL-37-2016, "FFIEC Joint Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks" (June 7, 2016)GuidanceJune 7, 2016
FIL-55-2015, "Cybersecurity Awareness Resources" (November 23, 2015)GuidanceNovember 23, 2015
FIL-28-2015, "Cybersecurity Assessment Tool" (July 2, 2015)GuidanceJuly 2, 2015
FIL-13-2015, "FFIEC Joint Statements on Destructive Malware and Compromised Credentials" (March 30, 2015)GuidanceMarch 30, 2015
FIL-13-2014, "Technology Outsourcing: Informational Tools for Community Bankers" (April 7, 2014)GuidanceApril 7, 2014
FIL-11-2014, "Distributed Denial of Service (DDoS) Attacks" (April 2, 2014)GuidanceApril 2, 2014
FIL-44-2008, "Third-Party Risk: Guidance for Managing Third-Party Risk" (June 6, 2008)GuidanceJune 6, 2008
FIL-6-2008, "Interagency Statement on Pandemic Planning: Guidance for Minimizing a Pandemic's Potential Adverse Effects" (February 6, 2008)GuidanceFebruary 6, 2008
FIL-49-2006, "Lessons Learned from Hurricane Katrina: Preparing Your Institution for a Catastrophic Event" (June 15, 2006)GuidanceJune 15, 2006
FIL-25-2006, "Influenza Pandemic Preparedness Interagency Advisory" (March 15, 2006)GuidanceMarch 15, 2006
FIL-27-2005, "Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice" (April 1, 2005)GuidanceApril 1, 2005
FIL-84-2002, "Financial and Banking Information Infrastructure Committee's Interim Policy on the Sponsorship of Private Sector Financial Institutions in the GETS Card Program" (August 6, 2002)GuidanceAugust 6, 2002
FIL-50-2001, "Bank Technology Bulletin on Outsourcing" (June 4, 2001)GuidanceJune 4, 2001)

National Credit Union Administration

Resource TitleTypeDate
12 CFR 748, Appendix A, "Guidelines for Safeguarding Member Information"Regulation
12 CFR 749, Appendix A, "Record Preservation Program and Record Retention"Regulation
12 CFR 749, Appendix B, "Catastrophic Act Preparedness Guidelines"Regulation
NCUA Letter to Credit Unions 08-CU-01, "Guidance on Pandemic" (January 2008)GuidanceJanuary 2008
NCUA Letter to Credit Unions 07-CU-13, "Evaluating Third-Party Relationships" (December 2007)GuidanceDecember 2007
NCUA Risk Alert 06-Risk-01, "Disaster Planning and Response" (April 2006)GuidanceApril 2006
NCUA Letter to Credit Unions 06-CU-06, "Influenza Pandemic Preparedness" (March 2006)GuidanceMarch 2006
NCUA Letter to Credit Unions 02-CU-17, "e-Commerce Guide for Credit Unions" (December 2002)GuidanceDecember 2002
NCUA Letter to Credit Unions 01-CU-21, "Disaster Recovery and Business Resumption Contingency Plans" (December 2001)GuidanceDecember 2001
NCUA Letter to Credit Unions 01-CU-20, "Due Diligence Over Third-Party Service Providers" (November 2001)GuidanceNovember 2001
NCUA Letter to Credit Unions 98-CU-12, "Business Resumption Contingency Planning" (June 1998)GuidanceJune 1998

Office of the Comptroller of the Currency

Resource TitleTypeDate
12 CFR 5.30, "Establishment, Acquisition, and Relocation of a Branch of a National Bank"Regulation
12 CFR 5.31, "Establishment, Acquisition, and Relocation of a Branch and Establishment of an Agency Office of a Federal Savings Association"Regulation
12 CFR 30, Appendix A, "Interagency Guidelines Establishing Standards for Safety and Soundness"Regulation
12 CFR 30, Appendix B, "Interagency Guidelines Establishing Information Security Standards"Regulation
12 CFR 30, Appendix D, "OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches"Regulation
12 CFR 30, Appendix E, "OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches"Regulation
OCC Bulletin 2019-13, "Recovery Planning"Guidance2019
OCC Bulletin 2019-8, "Loans in Areas Having Special Flood Hazards – Private Flood Insurance: Final Rule"Guidance2019
OCC Bulletin 2018-47, "Recovery Planning Guideline: Final Revised Guidelines"Guidance2018
OCC Bulletin 2018-14, "Installment Lending: Core Lending Principles for Short-Term, Small-Dollar Installment Lending"Guidance2018
OCC Bulletin 2018-8, "Cyber Insurance: FFIEC Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs"Guidance2018
OCC Bulletin 2017-61, "Major Disasters: Interagency Examiner Guidance for Institutions Affected by Major Disasters"Guidance2017
OCC Bulletin 2017-54, "Branches and Relocations: Revised Comptroller’s Licensing Manual Booklet"Guidance2017
OCC Bulletin 2017-35, "Flood Disaster Protection Act: Revised Comptroller’s Handbook Booklet"Guidance2017
OCC Bulletin 2017-24, "Branch Closings: Revised Comptroller’s Licensing Manual Booklet"Guidance2017
OCC Bulletin 2017-21, "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29"Guidance2017
OCC Bulletin 2017-7, "Third-Party Relationships: Supplemental Examination Procedures"Guidance2017
OCC Bulletin 2016-34, "Cybersecurity: Frequently Asked Questions on the FFIEC Cybersecurity Assessment Tool"Guidance2016
OCC Bulletin 2016-30, "Enforceable Guidelines for Recovery Planning: Final Guidelines"Guidance2016
OCC Bulletin 2015-31, "Cybersecurity: FFIEC Cybersecurity Assessment Tool"Guidance2015
OCC Bulletin 2015-9, "FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet"Guidance2015
OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance"Guidance2013
OCC Bulletin 2012-28, "Supervisory Guidance on Natural Disasters and Other Emergency Conditions"Guidance2012
OCC Bulletin 2006-26, "Disaster Planning: Hurricane Katrina – Lessons Learned"Guidance2006
OCC Bulletin 2006-12, "Influenza Pandemic Preparedness: Interagency Advisory"Guidance2006
OCC Bulletin 2006-6, "Community Reinvestment Act: Hurricanes Katrina and Rita"Guidance2006
OCC Bulletin 2003-14, "Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System"Guidance2003
OCC Bulletin 2003-13, "Telecommunications Service Priority (TSP) Program: Policy on Sponsorship of TSP for Private Sector Entities"Guidance2003
OCC Bulletin 2002-33, "Government Emergency Telecommunications Service (GETS): FBIIC Policy on Sponsorship of GETS Cards for Private Sector Entities"Guidance2002
OCC Bulletin 2002-16, "Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance"Guidance2002
OCC Bulletin 1998-3, "Technology Risk Management: Guidance for Bankers and Examiners"Guidance1998

Other References

Resource TitleTypeDate
U.S. Department of Health & Human Services, Centers for Disease Control and Prevention, Pandemic Influenza (January 2019)January 2019
Communications, Security, Reliability, and Interoperability Council, Infrastructure Sharing During Emergencies (December 2014)December 2014
National Infrastructure Protection Plan, NIPP 2013: Partnering for Critical Infrastructure and Resilience (November 2013)November 2013
NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems (May 2010)May 2010
BITS Financial Services Roundtable, BITS Framework for Managing Technology Risk for Service Provider Relationships (May 2008)May 2008
Basel Committee on Banking Supervision, The Joint Forum: High-level Principles for Business Continuity (August 2006)August 2006
U.S. Department of Homeland Security, Pandemic Influenza Preparedness, Response, and Recovery Guide for Critical Infrastructure and Key Resources (September 2006)September 2006
Department of Health and Human Services, Centers for Disease Control and Prevention Business Pandemic Influenza Planning Checklist (December 2005)December 2005
Homeland Security Council National Strategy for Pandemic Influenza (November 2005)November 2005
Federal Reserve Bank of New York, Best Practices to Assure Telecommunications Continuity for Financial Institutions and the Payment and Settlement Utilities: Report by the Assuring Telecommunications Continuity Task Force (September 2004)September 2004
The President’s National Security Telecommunications Advisory Committee, Financial Services Task Report (April 2004)April 2004

 

Previous Section
Appendix C: Abbreviations