Appendix D: References
Sources
- Laws
- Consumer Financial Protection Bureau
- Federal Reserve
- Federal Deposit Insurance Corporation
- National Credit Union Administration
- Office of the Comptroller of the Currency
- Other References
Laws
| Resource Title | Type | Date |
| 12 U.S.C. 95(b) / 1463(a) / 3102(b), "Comptroller Authority to Declare a Legal Holiday" | Laws | |
| 12 U.S.C. 1464, "Home Owners' Loan Act" | Laws | |
| 12 U.S.C. 1831r-1, "Notice of Branch Closure" | Laws | |
| 12 U.S.C. 1861–1867, "Bank Service Company Act" | Laws | |
| 12 U.S.C. 1882, "Bank Protection Act" | Laws | |
| 12 U.S.C. 3352, "Emergency Exceptions for Disaster Areas" | Laws | |
| 15 U.S.C. 6801 and 6805(b), "Gramm–Leach–Bliley Act" | Laws | |
| 18 U.S.C. 1030, "Fraud and Related Activity in Connection With Computers" | Laws |
Consumer Financial Protection Bureau
| Resource Title | Type | Date |
| CFPB Statement on Supervisory Practices Regarding Financial Institutions and Consumers Affected by a Major Disaster or Emergency (September 2018) | Guidance | September 2018 |
| CFPB Compliance Bulletin and Policy Guidance; 2016-02, Service Providers (October 2016) | Guidance | October 2016 |
Federal Reserve
| Resource Title | Type | Date |
| 12 CFR 208, Appendix D-1, "Interagency Guidelines Establishing Standards for Safety and Soundness" | Regulations | |
| 12 CFR 208, Appendix D-2, "Interagency Guidelines Establishing Information Security Standards (State Member Banks)" | Regulations | |
| 12 CFR 225, Appendix F, "Interagency Guidelines Establishing Information Security Standards" | Regulations | |
| SR Letter 20-3 / CA 20-2, "Interagency Statement on Pandemic Planning" (March 10, 2020) | Guidance | March 10, 2020 |
| SR Letter 16-11, "Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $50 Billion" (June 2016) | Guidance | June 2016 |
| SR Letter 15-10 / CA Letter 15-8, "Expansion of the Federal Reserve’s Emergency Communications System" (October 2015) | Guidance | October 2015 |
| SR Letter 15-9, "FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors" (July 2, 2015) | Guidance | July 2, 2015 |
| SR Letter 13-19 / CA Letter 13-21, "Guidance on Managing Outsourcing Risk" (April 2013) | Guidance | December 2013 |
| SR Letter 13-16, "End of Microsoft Support for Windows XP Operating System" (October 2013) | Guidance | October 2013 |
| SR Letter 13-6 / CA Letter 13-3, "Supervisory Practices Regarding Banking Organizations and Their Borrowers and Other Customers Affected by a Major Disaster or Emergency" (March 2013) | Guidance | March 2013 |
| SR Letter 12-14, "Revised Guidance on Supervision of Technology Service Providers" (October 2012) | Guidance | October 2012 |
| SR Letter 10-13, "Interagency Supervisory Guidance for Institutions Affected by the Deepwater Horizon Oil Spill" (October 2010) | Guidance | October 2010 |
| SR Letter 06-3, "Interagency Supervisory Guidance for Institutions Affected by Hurricane Katrina" (February 3, 2006) | Guidance | February 3, 2006 |
| SR Letter 05-24, "Interagency Questions and Answers for Financial Institutions in Response to Hurricanes Katrina and Rita" (December 2, 2005) | Guidance | December 2, 2005 |
| SR Letter 05-17, “Katrina Related Marketing Practices Invoking the Name of the Federal Reserve” (September 22, 2005) | Guidance | September 22, 2005 |
| SR Letter 05-16, "Supervisory Practices Regarding Banking Organizations and Consumers Affected by Hurricane Katrina" (September 15, 2005) | Guidance | September 15, 2005 |
| SR Letter 03-9, "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System" (May 28, 2003) | Guidance | May 28, 2003 |
Federal Deposit Insurance Corporation
| Resource Title | Type | Date |
| 12 CFR 304.3(d), "Notification of Performance of Bank Services, Form FDIC 6120/06" | Regulations | |
| 12 CFR 364, Appendix A "Interagency Guidelines Establishing Standards for Safety and Soundness" | Regulations | |
| 12 CFR 364, Appendix B "Interagency Guidelines Establishing Information Security Standards" | Regulations | |
| 12 CFR 364, Supplement A to Appendix B "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice" | Regulations | |
| FIL-25-2020 “Identification of Essential Critical Infrastructure Workers During the COVID-19 Response Efforts” (March 26,2020) | Guidance | March 26,2020 |
| FIL-14-2020 “Interagency Statement on Pandemic Planning” (March 6, 2020) | Guidance | March 6, 2020 |
| FIL-19-2019, "Technology Service Provider Contracts" (April 2, 2019) | Guidance | April 2, 2019 |
| FIL-63-2018, "Cybersecurity Preparedness Resource" (October 19, 2018) | Guidance | October 19, 2018 |
| FIL-62-2017, "Major Disaster Examiner Guidance" (December 15, 2017) | Guidance | December 15, 2017 |
| FIL-68-2016, "FFIEC Cybersecurity Assessment Tool: Frequently Asked Questions" (October 18, 2016) | Guidance | October 18, 2016 |
| FIL-43-2016, "Information Technology Risk Examination (InTREx) Program" (June 30, 2016) | Guidance | June 30, 2016 |
| FIL-37-2016, "FFIEC Joint Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks" (June 7, 2016) | Guidance | June 7, 2016 |
| FIL-55-2015, "Cybersecurity Awareness Resources" (November 23, 2015) | Guidance | November 23, 2015 |
| FIL-28-2015, "Cybersecurity Assessment Tool" (July 2, 2015) | Guidance | July 2, 2015 |
| FIL-13-2015, "FFIEC Joint Statements on Destructive Malware and Compromised Credentials" (March 30, 2015) | Guidance | March 30, 2015 |
| FIL-13-2014, "Technology Outsourcing: Informational Tools for Community Bankers" (April 7, 2014) | Guidance | April 7, 2014 |
| FIL-11-2014, "Distributed Denial of Service (DDoS) Attacks" (April 2, 2014) | Guidance | April 2, 2014 |
| FIL-44-2008, "Third-Party Risk: Guidance for Managing Third-Party Risk" (June 6, 2008) | Guidance | June 6, 2008 |
| FIL-6-2008, "Interagency Statement on Pandemic Planning: Guidance for Minimizing a Pandemic's Potential Adverse Effects" (February 6, 2008) | Guidance | February 6, 2008 |
| FIL-49-2006, "Lessons Learned from Hurricane Katrina: Preparing Your Institution for a Catastrophic Event" (June 15, 2006) | Guidance | June 15, 2006 |
| FIL-27-2005, "Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice" (April 1, 2005) | Guidance | April 1, 2005 |
| FIL-84-2002, "Financial and Banking Information Infrastructure Committee's Interim Policy on the Sponsorship of Private Sector Financial Institutions in the GETS Card Program" (August 6, 2002) | Guidance | August 6, 2002 |
| FIL-50-2001, "Bank Technology Bulletin on Outsourcing" (June 4, 2001) | Guidance | June 4, 2001) |
National Credit Union Administration
| Resource Title | Type | Date |
| 12 CFR 748,"Security Program, Report of Suspected Crimes, Suspicious Transactions, Catastrophic Acts and Bank Secrecy Act Compliance" | Regulations | |
| 12 CFR 748, Appendix A, "Guidelines for Safeguarding Member Information" | Regulations | |
| 12 CFR 749,"Guidelines for Safeguarding Member Information", Records Preservation Program and Appendices - Record Retention Guidelines; Catastrophic Act Preparedness Guidelines" | Regulations | |
| 12 CFR 749, Appendix A, "Record Preservation Program and Record Retention" | Regulations | |
| 12 CFR 749, Appendix B, "Catastrophic Act Preparedness Guidelines" | Regulations | |
| NCUA Letter to Credit Unions 20-CU-03, "Identification of Essential Critical Infrastructure Workers" (March 2020) | Guidance | March 2020 |
| NCUA Letter to Credit Unions 20-CU-02, "NCUA Actions Related to COVID-19" (March 2020) | Guidance | March 2020 |
| NCUA Letter to Credit Unions 10-CU-10, "2010 Hurricane Season and Ongoing Disaster, Emergency, and Pandemic Preparedness and Planning" (June 2010) | Guidance | June 2010 |
| NCUA Letter to Credit Unions 09-CU-13, "Hurricane Preparedness and Pandemic Planning" (June 2009) | Guidance | June 2009 |
| NCUA Letter to Credit Unions 08-CU-01, "Guidance on Pandemic" (January 2008) | Guidance | January 2008 |
| NCUA Letter to Credit Unions 07-CU-13, "Evaluating Third-Party Relationships" (December 2007) | Guidance | December 2007 |
| NCUA Letters to Credit Unions (06-CU-11), "Interagency Guidance Lessons Learned By Institutions Affected By Hurricane Katrina" (June 2006) | Guidance | June 2006 |
| NCUA Risk Alert 06-Risk-01, "Disaster Planning and Response" (April 2006) | Guidance | April 2006 |
| NCUA Letter to Credit Unions 06-CU-06, "Influenza Pandemic Preparedness" (March 2006) | Guidance | March 2006 |
| NCUA Letter to Credit Unions 02-CU-17, "e-Commerce Guide for Credit Unions" (December 2002) | Guidance | December 2002 |
| NCUA Letter to Credit Unions 01-CU-21, "Disaster Recovery and Business Resumption Contingency Plans" (December 2001) | Guidance | December 2001 |
| NCUA Letter to Credit Unions 01-CU-20, "Due Diligence Over Third-Party Service Providers" (November 2001) | Guidance | November 2001 |
Office of the Comptroller of the Currency
| Resource Title | Type | Date |
| 12 CFR 5.30, "Establishment, Acquisition, and Relocation of a Branch of a National Bank" | Regulations | |
| 12 CFR 5.31, "Establishment, Acquisition, and Relocation of a Branch and Establishment of an Agency Office of a Federal Savings Association" | Regulations | |
| 12 CFR 30, Appendix A, "Interagency Guidelines Establishing Standards for Safety and Soundness" | Regulations | |
| 12 CFR 30, Appendix B, "Interagency Guidelines Establishing Information Security Standards" | Regulations | |
| 12 CFR 30, Appendix D, "OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches" | Regulations | |
| 12 CFR 30, Appendix E, "OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches" | Regulations | |
| OCC Bulletin 2020-23, “Essential Critical Infrastructure Workers in the Financial Services Sector” | Guidance | March 25, 2020 |
| OCC Bulletin 2020-13, "Pandemic Planning: Updated FFIEC Guidance" | Guidance | March 6, 2020 |
| OCC Bulletin 2019-13, "Recovery Planning" | Guidance | 2019 |
| OCC Bulletin 2019-8, "Loans in Areas Having Special Flood Hazards – Private Flood Insurance: Final Rule" | Guidance | 2019 |
| OCC Bulletin 2018-47, "Recovery Planning Guideline: Final Revised Guidelines" | Guidance | 2018 |
| OCC Bulletin 2018-14, "Installment Lending: Core Lending Principles for Short-Term, Small-Dollar Installment Lending" | Guidance | 2018 |
| OCC Bulletin 2018-8, "Cyber Insurance: FFIEC Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs" | Guidance | 2018 |
| OCC Bulletin 2017-61, "Major Disasters: Interagency Examiner Guidance for Institutions Affected by Major Disasters" | Guidance | 2017 |
| OCC Bulletin 2017-54, "Branches and Relocations: Revised Comptroller’s Licensing Manual Booklet" | Guidance | 2017 |
| OCC Bulletin 2017-35, "Flood Disaster Protection Act: Revised Comptroller’s Handbook Booklet" | Guidance | 2017 |
| OCC Bulletin 2017-24, "Branch Closings: Revised Comptroller’s Licensing Manual Booklet" | Guidance | 2017 |
| OCC Bulletin 2017-21, "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29" | Guidance | 2017 |
| OCC Bulletin 2017-7, "Third-Party Relationships: Supplemental Examination Procedures" | Guidance | 2017 |
| OCC Bulletin 2016-34, "Cybersecurity: Frequently Asked Questions on the FFIEC Cybersecurity Assessment Tool" | Guidance | 2016 |
| OCC Bulletin 2016-30, "Enforceable Guidelines for Recovery Planning: Final Guidelines" | Guidance | 2016 |
| OCC Bulletin 2015-31, "Cybersecurity: FFIEC Cybersecurity Assessment Tool" | Guidance | 2015 |
| OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance" | Guidance | 2013 |
| OCC Bulletin 2012-28, "Supervisory Guidance on Natural Disasters and Other Emergency Conditions" | Guidance | 2012 |
| OCC Bulletin 2006-26, "Disaster Planning: Hurricane Katrina – Lessons Learned" | Guidance | 2006 |
| OCC Bulletin 2006-12, "Influenza Pandemic Preparedness: Interagency Advisory" | Guidance | 2006 |
| OCC Bulletin 2006-6, "Community Reinvestment Act: Hurricanes Katrina and Rita" | Guidance | 2006 |
| OCC Bulletin 2003-14, "Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System" | Guidance | 2003 |
| OCC Bulletin 2003-13, "Telecommunications Service Priority (TSP) Program: Policy on Sponsorship of TSP for Private Sector Entities" | Guidance | 2003 |
| OCC Bulletin 2002-33, "Government Emergency Telecommunications Service (GETS): FBIIC Policy on Sponsorship of GETS Cards for Private Sector Entities" | Guidance | 2002 |
| OCC Bulletin 2002-16, "Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance" | Guidance | 2002 |
| OCC Bulletin 1998-3, "Technology Risk Management: Guidance for Bankers and Examiners" | Guidance | 1998 |
Other References
| Resource Title | Type | Date |
| U.S. Department of Health & Human Services, Centers for Disease Control and Prevention, Pandemic Influenza (January 2019) | January 2019 | |
| Communications, Security, Reliability, and Interoperability Council, Infrastructure Sharing During Emergencies (December 2014) | December 2014 | |
| National Infrastructure Protection Plan, NIPP 2013: Partnering for Critical Infrastructure and Resilience (November 2013) | November 2013 | |
| NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems (May 2010) | May 2010 | |
| BITS Financial Services Roundtable, BITS Framework for Managing Technology Risk for Service Provider Relationships (May 2008) | May 2008 | |
| Basel Committee on Banking Supervision, The Joint Forum: High-level Principles for Business Continuity (August 2006) | August 2006 | |
| U.S. Department of Homeland Security, Pandemic Influenza Preparedness, Response, and Recovery Guide for Critical Infrastructure and Key Resources (September 2006) | September 2006 | |
| Department of Health and Human Services, Centers for Disease Control and Prevention Business Pandemic Influenza Planning Checklist (December 2005) | December 2005 | |
| Homeland Security Council National Strategy for Pandemic Influenza (November 2005) | November 2005 | |
Federal Reserve Bank of New York, Best Practices to Assure Telecommunications Continuity for Financial Institutions and the Payment and Settlement Utilities: Report by the Assuring Telecommunications Continuity Task Force (September 2004) |
September 2004 | |
| The President’s National Security Telecommunications Advisory Committee, Financial Services Task Report (April 2004) | April 2004 |
| Previous Section Appendix C: Abbreviations |