Appendix C: Laws, Regulations, and Guidance

 

Sources


Laws

Resource TitleTypeDate
12 USC 1867(c): Bank Service Company ActLaw
12 USC 1882: Bank Protection ActLaw
15 USC 1681w: Fair and Accurate Credit Transactions ActLaw
15 USC 6801 and 6805(b): Gramm-Leach-Bliley ActLaw
18 USC 1030: Fraud and Related Activity in Connection with ComputersLaw

Consumer Financial Protection Bureau

Resource TitleTypeDate
12 CFR 1005: Electronic Fund Transfers (Regulation E)RegulationJanuary 1, 2012
2 CFR 1016: Privacy of Consumer Financial Information (Regulation P)RegulationJanuary 1, 2016

Federal Deposit Insurance Corporation

Resource TitleTypeDate
12 CFR 326, subpart A: Minimum Security ProceduresRegulationN/A
12 CFR 326, subpart B: Procedures for Monitoring Bank Secrecy Act ComplianceRegulationN/A
12 CFR 332: Privacy of Consumer Financial InformationRegulationN/A
12 CFR 353: Suspicious Activity ReportsRegulationN/A
12 CFR 364, appendix A: Interagency Guidelines Establishing Standards for Safety and SoundnessRegulationN/A
12 CFR 364, appendix B: Interagency Guidelines Establishing Standards for Safeguarding Customer InformationRegulationN/A
FIL-50-2011 FFIEC Supplement to Authentication in an Internet Banking EnvironmentGuidanceJune 29, 2011
FIL-103-2005: FFIEC Guidance Authentication in an Internet Banking EnvironmentGuidanceOctober 12, 2005
FIL-66-2005: Spyware - Guidance on Mitigating Risks From SpywareGuidanceJuly 22, 2005
FIL-64-2005: "Pharming" - Guidance on How Financial Institutions can Protect against Pharming AttacksGuidanceJuly 18, 2005
FIL-59-2005: Identity Theft Study Supplement on "Account Hijacking Identity Theft"GuidanceJuly 5, 2005
FIL-27-2005: Final Guidance on Response Programs for Unauthorized Access to Customer Information and Customer NoticeGuidanceApril 1, 2005
FIL-7-2005: Fair and Accurate Credit Transactions Act of 2003 Guidelines Requiring the Proper Disposal of Customer InformationGuidanceFebruary 2, 2005
FIL-132-2004: Identity Theft Study on "Account Hijacking" Identity Theft and Suggestions for Reducing Online FraudGuidanceDecember 14, 2004
FIL-121-2004: Computer Software Due Diligence - Guidance on Developing an Effective Software Evaluation Program to Assure Quality and Regulatory ComplianceGuidanceNovember 16, 2004
FIL-114-2004: Risk Management of Free and Open Source Software FFIEC GuidanceGuidanceOctober 21, 2004
FIL-103-2004: Interagency Informational Brochure on Internet "Phishing" ScamsGuidanceSeptember 13, 2004
FIL-84-2004: Guidance on Instant MessagingGuidanceJuly 21, 2004
FIL-62-2004: Guidance on Developing and Effective Computer Virus Protection ProgramGuidanceJune 7, 2004
FIL-27-2004: Guidance on Safeguarding Customers Against E-Mail and Internet Related Fraud SchemesGuidanceMarch 12, 2004
FIL-63-2003: Guidance on Identity Theft Response Programs, FIL-63-2003GuidanceAugust 13, 2003
FIL-43-2003: Guidance on Developing an Effective Software Patch Management ProgramGuidanceMay 29, 2003
FIL-8-2002: Wireless Networks And Customer AccessGuidanceFebruary 1, 2002
FIL-69-2001: Authentication In An Electronic Banking EnvironmentGuidanceAugust 24, 2001
FIL-68-2001: 501(b) Examination GuidanceGuidanceAugust 24, 2001
FIL-39-2001: Guidance on Identity Theft and Pretext CallingGuidanceMay 9, 2001
FIL-22-2001: Security Standards for Customer InformationGuidanceMarch 14, 2001
FIL-77-2000: Bank Technology Bulletin: Protecting Internet Domain NamesGuidanceNovember 9, 2000
FIL-67-2000: Security Monitoring of Computer NetworksGuidanceOctober 3, 2000
FIL-68-99: Risk Assessment Tools and PracticesGuidanceJuly 1999
FIL-98-98: Pretext Phone CallingGuidanceSeptember 2, 1998
FIL-131-97: Security Risks Associated with the InternetGuidanceDecember 18, 1997
FIL-124-97: Suspicious Activity ReportingGuidanceDecember 5, 1997
FIL-82-96: Risks Involving Client/Server Computer SystemsGuidanceOctober 8, 1996
FIL-28-2015: Cybersecurity Assessment ToolGuidanceJuly 2, 2015
FIL-13-2015: FFIEC Joint Statements on Destructive Malware and Compromised CredentialsGuidanceMarch 30, 2015
FIL-9-2015: Business Continuity Planning Booklet Appendix J Update to FFIEC IT Examination Handbook SeriesGuidanceFebruary 23, 2015
FIL-49-2014: Technology Alert GNU Bourne-Again Shell (Bash) VulnerabilityGuidanceSeptember 29, 2014
FIL-16-2014: Technology Alert OpenSSL Heartbleed VulnerabilityGuidanceApril 11, 2014
FIL-11-2014: Distributed Denial of Service (DDoS) AttacksGuidanceApril 2, 2014
FIL-10-2014: ATM and Card Authorization SystemsGuidanceApril 2, 2014
FIL-56-2010: Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and PrintersGuidanceSeptember 15, 2010
FIL-6-2010: Retail Payment Systems BookletGuidanceFebruary 25, 2010
FIL-30-2009: Identity Theft Red Flags, Address Discrepancies, and Change of Address Regulations Frequently Asked QuestionsGuidanceJune 11, 2009
FIL-105-2008: Identity Theft Red Flags, Address Discrepancies, and Change of Address Regulations Examination ProceduresGuidanceOctober 16, 2008
FIL-100-2007: Identity Theft Red Flags—Interagency Final Regulation and GuidelinesGuidanceNovember 15, 2007
FIL-32-2007: FDIC's Supervisory Policy on Identity TheftGuidanceApril 11, 2007
FIL-77-2006: Authentication in an Internet Banking Environment Frequently Asked QuestionsGuidanceAugust 21, 2006

GuidanceApril 23, 2003

Federal Reserve Board

Resource TitleTypeDate
12 CFR 208.61: Minimum Security Devices and ProceduresRegulationN/A
12 CFR 208.62: Reports of Suspicious ActivitiesRegulationN/A
12 CFR 208.63: Procedures for Monitoring Bank Secrecy Act ComplianceRegulationN/A
12 CFR 208, Appendix D-1: Interagency Guidelines Establishing Standards for Safety and SoundnessRegulationN/A
12 CFR 208, Appendix D-2: Interagency Guidelines Establishing Standards for Safeguarding Customer InformationRegulationN/A
12 CFR 211.5 (1): Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Edge or agreement corporation)RegulationN/A
12 CFR 211.9: Interagency Guidelines Establishing Standards for Safeguarding Customer InformationRegulation
12 CFR 211.24 (i): Interagency Guidelines Establishing Standards for Safeguarding Customer InformationRegulationN/A
12 CFR 225 Appendix F: Interagency Guidelines Establishing Standards for Safeguarding Customer InformationRegulationN/A
SR Letter 05-19 Interagency Guidance on Authentication in an Internet Banking EnvironmentGuidanceOctober 13, 2005
SR Letter 04-17 FFIEC Guidance on the use of Free and Open Source SoftwareGuidanceDecember 6, 2004
SR Letter 04-14 FFIEC Brochure with Information on Internet "Phishing" GuidanceOctober 19, 2004
SR Letter 02-18 Section 312 of the USA Patriot Act--Due Diligence for Correspondent and Private Banking AccountsGuidanceJuly 23, 2002
SR Letter 02-6 Information Sharing Pursuant to Section 314(b) of the USA Patriot ActGuidanceMarch 14, 2002
SR Letter 01-15 Safeguarding Customer InformationGuidanceMay 31, 2001
SR Letter 00-17 Guidance on the Risk Management of Outsourced Technology ServicesGuidanceNovember 30, 2000
SR Letter 01-11 Identity Theft and Pretext CallingGuidanceApril 26, 2001
SR Letter 00-04 Outsourcing of Information and Transaction ProcessingGuidanceFebruary 29, 2000
SR Letter 99-08 Uniform Rating System for Information TechnologyGuidanceMarch 31, 1999
SR Letter 97-32 Sound Practices Guidance for Information Security for NetworksGuidanceDecember 4, 1997
SR Letter 15-9: FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of DirectorsGuidance

National Credit Union Administration

Resource TitleTypeDate
12 CFR 721: Federal Credit Union Incidental Powers ActivitiesRegulationN/A
12 CFR 748: Security Program, Report of Crime and Catastrophic Act and Bank Secrecy Act Compliance and AppendixRegulationN/A
12 CFR 716: Privacy of Consumer Financial Information, and AppendixRegulationN/A
12 CFR 741: Requirements for InsuranceRegulationN/A
NCUA Letter to Credit Unions 05-CU-20: Phishing Guidance for Credit Unions and Their MembersGuidanceDecember 2005
NCUA Letter to Credit Unions 05-CU-18: Guidance on Authentication in Internet Banking EnvironmentGuidanceNovember 2005
NCUA Letter to Credit Unions 04-CU-12: Phishing Guidance for Credit Union MembersGuidanceSeptember 2004
NCUA Letter to Credit Unions 04-CU-06: E-Mail and Internet Related Fraudulent Schemes GuidanceGuidanceApril 2004
NCUA Letter to Credit Unions 04-CU-05: Fraudulent E-Mail SchemesGuidanceApril 2004
NCUA Letter to Credit Unions 03-CU-14: Computer Software Patch ManagementGuidanceSeptember 2003
NCUA Letter to Credit Unions 03-CU-12: Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit UnionsGuidanceAugust 2003
NCUA Letter to Credit Unions 03-CU-08: Weblinking: Identifying Risks & Risk Management TechniquesGuidanceApril 2003
NCUA Letter to Credit Unions 03-CU-03: Wireless TechnologyGuidanceFebruary 2003
NCUA Letter to Federal Credit Unions 02-FCU-11: Tips to Safely Conduct Financial Transactions Over the InternetGuidanceJuly 2002
NCUA Letter to Credit Unions 02-CU-13: Vendor Information Systems & Technology Reviews - Summary ResultsGuidanceJuly 2002
NCUA Letter to Credit Unions 02-CU-08: Account Aggregation ServicesGuidanceApril 2002
NCUA Letter to Federal Credit Unions 02-FCU-04: Weblinking RelationshipsGuidanceMarch 2002
NCUA Letter to Credit Unions 01-CU-21: Disaster Recovery and Business Resumption Contingency PlansGuidanceDecember 2001
NCUA Letter to Credit Unions 01-CU-20: Due Diligence Over Third Party Service ProvidersGuidanceNovember 2001
NCUA Letter to Credit Unions 01-CU-12: E-Commerce Insurance ConsiderationsGuidanceOctober 2001
NCUA Letter to Credit Unions 01-CU-09: Identity Theft and Pretext CallingGuidanceSeptember 2001
NCUA Letter to Credit Unions 01-CU-11: Electronic Data Security OverviewGuidanceAugust 2001
NCUA Letter to Credit Unions 01-CU-10: Authentication in an Electronic Banking EnvironmentGuidanceAugust 2001
NCUA Letter to Credit Unions 01-CU-04: Integrating Financial Services and Emerging Technology, NCUA Letter to Credit Unions 01-CU-04GuidanceMarch 2001
NCUA Regulatory Alert 01-RA-03: Electronic Signatures in Global and National Commerce ActGuidanceMarch 2001
NCUA Letter to Credit Unions 01-CU-02: Privacy of Consumer Financial InformationGuidanceFebruary 2001
NCUA Letter to Credit Unions 00-CU-11: Risk Management of Outsourced Technology ServicesGuidanceDecember 2000
NCUA Letter to Credit Unions 00-CU-07: NCUA's Information Systems & Technology Examination ProgramGuidanceOctober 2000
NCUA Letter to Credit Unions 00-CU-04: Suspicious Activity ReportingGuidanceJuly 2000
NCUA Letter to Credit Unions 00-CU02: Identity Theft Prevention, NCUA Letter to Credit Unions 00-CU-02GuidanceMay 2000
NCUA Regulatory Alert 99-RA-3: Pretext Phone Calling by Account Information BrokersGuidanceFebruary 1999
NCUA Regulatory Alert 98-RA-4: Interagency Guidance on Electronic Financial Services and Consumer ComplianceGuidanceJuly 1998
NCUA Letter to Credit Unions 97-CU-5: Interagency Statement on Retail On-line PC BankingGuidanceApril 1997
NCUA Letter to Credit Unions 97-CU-01: Automated Response System ControlsGuidanceJanuary 1997
NCUA Letter to Credit Unions 109: Information Processing IssuesGuidanceSeptember 1989

Office of the Comptroller of the Currency

Resource TitleTypeDate
12 CFR, 21, Subpart A: Minimum Security Devices and ProceduresRegulationN/A
12 CFR, 21, Subpart B: Reports of Suspicious ActivitiesRegulationN/A
12 CFR, 21, Subpart C: Procedures for Monitoring Bank Secrecy Act ComplianceRegulationN/A
12 CFR, 30, Appendix A: Interagency Guidelines Establishing Standards for Safety and SoundnessRegulationN/A
12 CFR, 30, Appendix B: Interagency Guidelines Establishing Information SecurityRegulationN/A
OCC Bulletin 2011-26: Authentication in an Internet Environment - SupplementGuidanceJune 28, 2011
OCC Bulletin 2005-35; Authentication in an Internet Banking EnvironmentGuidanceOctober 12, 2005
OCC Bulletin 2005-24: Threats from Fraudulent Bank Web SitesGuidanceJuly 1, 2005
OCC Bulletin 2005-13: Response Programs for Unauthorized Access to Customer Information and Customer Notice: Final GuidanceGuidanceApril 14, 2005
OCC Bulletin 2005-1: Proper Disposal of Consumer InformationGuidanceJanuary 12, 2005
OCC Bulletin 2001-35: Examination Procedures for Guidelines to Safeguard Customer InformationGuidanceJuly 18, 2001
OCC Alert 2001-04: Network Security VulnerabilitiesGuidanceApril 24, 2001
OCC Bulletin 1999-20: Certificate Authority GuidanceGuidanceMay , 1999
OCC Alert 2000-9: Protecting Internet Addresses of National BanksGuidanceJuly 19, 2000
12 CFR 41.83: Proper Disposal of Records Containing Customer InformationRegulation
OCC Bulletin 2016-18: Cybersecurity of Interbank Messaging and Wholesale Payment Networks: FFIEC Statement GuidanceJune 7, 2016
OCC Bulletin 2016-14: FFIEC Information Technology Examination Handbook: Mobile Financial Services, New Appendix to the Retail Payment Systems Booklet GuidanceApril 29, 2016
OCC Bulletin 2000-14: Infrastructure Threats-Intrusion RisksGuidanceMay 15, 2000
OCC Alert 2000-1: Internet Security: Distributed Denial of Service AttacksGuidanceFebruary 11, 2000
OCC Bulletin 2015-44: FFIEC Information Technology Examination Handbook: Revised Management Booklet GuidanceNovember 10, 2015
OCC Bulletin 2015-40: Cybersecurity: Joint Statement on Cyber Attacks Involving Extortion GuidanceNovember 3, 2015
OCC Advisory Letter 2000-12: Risk Management of Outsourcing Technology ServicesGuidanceNovember 28, 2000
OCC Bulletin 1998-3: Technology Risk ManagementGuidanceFebruary 4, 1998
OCC Bulletin 2015-31: FFIEC Cybersecurity Assessment Tool" (June 30, 2015) OCC Bulletin 2015-20, "Cybersecurity: Destructive Malware Joint Statement GuidanceJune 30, 2015
OCC Bulletin 2015-20: Cybersecurity: Destructive Malware Joint Statement GuidanceMarch 30, 2015
OCC Bulletin 2015-19, "Cybersecurity: Cyber Attacks Compromising Credentials Joint Statement Guidance(March 30, 2015)
OCC Bulletin 2015-9: FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet GuidanceFebruary 6, 2015
OCC Bulletin 2014-53: Cybersecurity Assessment General Observations and Statement GuidanceNovember 3, 2014)
OCC Bulletin 2014-17: Information Security Vulnerability in OpenSSL Encryption Tool ( ): Joint Statement GuidanceApril 25, 2014
OCC Bulletin 2014-14: Distributed Denial-of-Service Cyber Attacks, Risk Mitigation, and Additional Resources: Joint Statement GuidanceApril 3, 2014
OCC Bulletin 2014-13: Cyber Attacks on Financial Institutions' Automated Teller Machine and Card Authorization Systems: Joint Statement GuidanceApril 2, 2014
OCC Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance GuidanceOctober 30, 2013
OCC Bulletin 2013-22: Windows XP Operating System: Joint Statement" GuidanceOctober 7, 2013
OCC Bulletin 2011-26: Authentication in an Internet Banking Environment: Supplement GuidanceJune 28, 2011)
OCC Bulletin 2008-16: Information Security: Application Security GuidanceMay 8, 2008
OCC Bulletin 2007-45: Identity Theft Red Flags and Address Discrepancies: Final Rulemaking GuidanceNovember 14, 2007
OCC Bulletin 2005-35: Authentication in an Internet Banking Environment: Interagency Guidance GuidanceOctober 12, 2005
OCC Bulletin 2005-24: Threats From Fraudulent Bank Web Sites: Risk Mitigation and Response Guidance for Web Site Spoofing Incidents" GuidanceJuly 1, 2005)
OCC Bulletin 2005-13: Response Programs for Unauthorized Access to Customer Information and Customer Notice: Final Guidance: Interagency Guidance GuidanceApril 14, 2005
OCC Bulletin 2005-1: Proper Disposal of Consumer Information: Final Rule GuidanceJanuary 12, 2005
OCC Bulletin 2001-35: Examination Procedures to Evaluate Compliance With the Guidelines to Safeguard Customer Information: Examination Procedures GuidanceJuly 18, 2001)
OCC Bulletin 2001-8: Guidelines Establishing Standards for Safeguarding Customer Information: Final Guidelines GuidanceFebruary 15, 2001
OCC Bulletin 2000-14: Infrastructure Threats-Intrusion Risks: Message to Bankers and Examiners GuidanceMay 15, 2000
OCC Bulletin 1998-3: Technology Risk Management: Guidance for Bankers and Examiners GuidanceFebruary 4, 1998

Other References

* Non-regulatory Resources and are provided to assist in your research and continuing professional education. They are not endorsed, certified, or approved by the FFIEC or its member agencies.

Resource TitleTypeDate

ISACA Control Objectives for Enterprise IT Governance at www.isaca.org (The Information Systems Audit and Control Association & Foundation)

WebsiteN/A
Basel Committee on Banking Supervision: Sound Practices for the Management and Supervision of Operational RiskPublicationFebruary 2003

 

 

 



 

Previous Section
Appendix B: Glossary