Appendix C: Laws, Regulations, and Guidance

Sources

Laws

Resource TitleTypeDate
12 USC 1867(c): Bank Service Company Act Laws
12 USC 1882: Bank Protection Act Laws
15 USC 1681w: Fair and Accurate Credit Transactions Act Laws
15 USC 6801 and 6805(b): Gramm-Leach-Bliley Act Laws
18 USC 1030: Fraud and Related Activity in Connection with Computers Laws

Consumer Financial Protection Bureau

Resource TitleTypeDate
12 CFR 1005: Electronic Fund Transfers (Regulation E) Regulations January 1, 2012
2 CFR 1016: Privacy of Consumer Financial Information (Regulation P) Regulations January 1, 2016

Federal Deposit Insurance Corporation

Resource TitleTypeDate
12 CFR 326, subpart A: Minimum Security Procedures Regulations N/A
12 CFR 326, subpart B: Procedures for Monitoring Bank Secrecy Act Compliance Regulations N/A
12 CFR 332: Privacy of Consumer Financial Information Regulations N/A
12 CFR 353: Suspicious Activity Reports Regulations N/A
12 CFR 364, appendix A: Interagency Guidelines Establishing Standards for Safety and Soundness Regulations N/A
12 CFR 364, appendix B: Interagency Guidelines Establishing Standards for Safeguarding Customer Information Regulations N/A
FIL-50-2011 FFIEC Supplement to Authentication in an Internet Banking Environment Guidance June 29, 2011
FIL-103-2005: FFIEC Guidance Authentication in an Internet Banking Environment Guidance October 12, 2005
FIL-66-2005: Spyware - Guidance on Mitigating Risks From Spyware Guidance July 22, 2005
FIL-64-2005: "Pharming" - Guidance on How Financial Institutions can Protect against Pharming Attacks Guidance July 18, 2005
FIL-59-2005: Identity Theft Study Supplement on "Account Hijacking Identity Theft Guidance July 5, 2005
FIL-27-2005: Final Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice Guidance April 1, 2005
FIL-7-2005: Fair and Accurate Credit Transactions Act of 2003 Guidelines Requiring the Proper Disposal of Customer Information Guidance February 2, 2005
FIL-132-2004: Identity Theft Study on "Account Hijacking" Identity Theft and Suggestions for Reducing Online Fraud Guidance December 14, 2004
FIL-121-2004: Computer Software Due Diligence - Guidance on Developing an Effective Software Evaluation Program to Assure Quality and Regulatory Compliance Guidance November 16, 2004
FIL-114-2004: Risk Management of Free and Open Source Software FFIEC Guidance Guidance October 21, 2004
FIL-103-2004: Interagency Informational Brochure on Internet "Phishing" Scams Guidance September 13, 2004
FIL-84-2004: Guidance on Instant Messaging Guidance July 21, 2004
FIL-62-2004: Guidance on Developing and Effective Computer Virus Protection Program Guidance June 7, 2004
FIL-27-2004: Guidance on Safeguarding Customers Against E-Mail and Internet Related Fraud Schemes Guidance March 12, 2004
FIL-63-2003: Guidance on Identity Theft Response Programs, FIL-63-2003 Guidance August 13, 2003
FIL-43-2003: Guidance on Developing an Effective Software Patch Management Program Guidance May 29, 2003
FIL-8-2002: Wireless Networks And Customer Access Guidance February 1, 2002
FIL-69-2001: Authentication In An Electronic Banking Environment Guidance August 24, 2001
FIL-68-2001: 501(b) Examination Guidance Guidance August 24, 2001
FIL-39-2001: Guidance on Identity Theft and Pretext Calling Guidance May 9, 2001
FIL-22-2001: Security Standards for Customer Information Guidance March 14, 2001
FIL-77-2000: Bank Technology Bulletin: Protecting Internet Domain Names Guidance November 9, 2000
FIL-67-2000: Security Monitoring of Computer Networks Guidance October 3, 2000
FIL-68-99: Risk Assessment Tools and Practices Guidance July 1999
FIL-98-98: Pretext Phone Calling Guidance September 2, 1998
FIL-131-97: Security Risks Associated with the Internet Guidance December 18, 1997
FIL-124-97: Suspicious Activity Reporting Guidance December 5, 1997
FIL-82-96: Risks Involving Client/Server Computer Systems Guidance October 8, 1996
FIL-28-2015: Cybersecurity Assessment Tool Guidance July 2, 2015
FIL-13-2015: FFIEC Joint Statements on Destructive Malware and Compromised Credentials Guidance March 30, 2015
FIL-9-2015: Business Continuity Planning Booklet Appendix J Update to FFIEC IT Examination Handbook Series Guidance February 23, 2015
FIL-49-2014: Technology Alert GNU Bourne-Again Shell (Bash) Vulnerability Guidance September 29, 2014
FIL-16-2014: Technology Alert OpenSSL Heartbleed Vulnerability Guidance April 11, 2014
FIL-11-2014: Distributed Denial of Service (DDoS) Attacks Guidance April 2, 2014
FIL-10-2014: ATM and Card Authorization Systems Guidance April 2, 2014
FIL-56-2010: Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers Guidance September 15, 2010
FIL-6-2010: Retail Payment Systems Booklet Guidance February 25, 2010
FIL-30-2009: Identity Theft Red Flags, Address Discrepancies, and Change of Address Regulations Frequently Asked Questions Guidance June 11, 2009
FIL-105-2008: Identity Theft Red Flags, Address Discrepancies, and Change of Address Regulations Examination Procedures Guidance October 16, 2008
FIL-100-2007: Identity Theft Red Flags—Interagency Final Regulation and Guidelines Guidance November 15, 2007
FIL-32-2007: FDIC's Supervisory Policy on Identity Theft Guidance April 11, 2007
FIL-77-2006: Authentication in an Internet Banking Environment Frequently Asked Questions Guidance August 21, 2006

FIL-30-2003: Federal Bank and Credit Union Regulatory Agencies Jointly Issue Guidance on the Risks Associated With Weblinking


 Guidance April 23, 2003

Federal Financial Institutions Examination Council

Resource TitleTypeDate
Authentication and Access to Financial Institution Services and Systems Guidance August 2021

Federal Reserve Board

Resource TitleTypeDate
12 CFR 208.61: Minimum Security Devices and Procedures Regulations N/A
12 CFR 208.62: Reports of Suspicious Activities Regulations N/A
12 CFR 208.63: Procedures for Monitoring Bank Secrecy Act Compliance Regulations N/A
12 CFR 208, Appendix D-1: Interagency Guidelines Establishing Standards for Safety and Soundness Regulations N/A
12 CFR 208, Appendix D-2: Interagency Guidelines Establishing Standards for Safeguarding Customer Information Regulations N/A
12 CFR 211.5 (1): Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Edge or agreement corporation) Regulations N/A
12 CFR 211.9: Interagency Guidelines Establishing Standards for Safeguarding Customer Information Regulations
12 CFR 211.24 (i): Interagency Guidelines Establishing Standards for Safeguarding Customer Information Regulations N/A
12 CFR 225 Appendix F: Interagency Guidelines Establishing Standards for Safeguarding Customer Information Regulations N/A
SR Letter 05-19 Interagency Guidance on Authentication in an Internet Banking Environment Guidance October 13, 2005
SR Letter 04-17 FFIEC Guidance on the use of Free and Open Source Software Guidance December 6, 2004
SR Letter 04-14 FFIEC Brochure with Information on Internet "Phishing" Guidance October 19, 2004
SR Letter 02-18 Section 312 of the USA Patriot Act--Due Diligence for Correspondent and Private Banking Accounts Guidance July 23, 2002
SR Letter 02-6 Information Sharing Pursuant to Section 314(b) of the USA Patriot Act Guidance March 14, 2002
SR Letter 01-15 Safeguarding Customer Information Guidance May 31, 2001
SR Letter 00-17 Guidance on the Risk Management of Outsourced Technology Services Guidance November 30, 2000
SR Letter 01-11 Identity Theft and Pretext Calling Guidance April 26, 2001
SR Letter 00-04 Outsourcing of Information and Transaction Processing Guidance February 29, 2000
SR Letter 99-08 Uniform Rating System for Information Technology Guidance March 31, 1999
SR Letter 97-32 Sound Practices Guidance for Information Security for Networks Guidance December 4, 1997
SR Letter 15-9: FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors Guidance

National Credit Union Administration

Resource TitleTypeDate
12 CFR 721: Federal Credit Union Incidental Powers Activities Regulations N/A
12 CFR 748: Security Program, Report of Crime and Catastrophic Act and Bank Secrecy Act Compliance and Appendix Regulations N/A
12 CFR 716: Privacy of Consumer Financial Information, and Appendix Regulations N/A
12 CFR 741: Requirements for Insurance Regulations N/A
NCUA Letter to Credit Unions 05-CU-20: Phishing Guidance for Credit Unions and Their Members Guidance December 2005
NCUA Letter to Credit Unions 05-CU-18: Guidance on Authentication in Internet Banking Environment Guidance November 2005
NCUA Letter to Credit Unions 04-CU-12: Phishing Guidance for Credit Union Members Guidance September 2004
NCUA Letter to Credit Unions 04-CU-06: E-Mail and Internet Related Fraudulent Schemes Guidance Guidance April 2004
NCUA Letter to Credit Unions 04-CU-05: Fraudulent E-Mail Schemes Guidance April 2004
NCUA Letter to Credit Unions 03-CU-14: Computer Software Patch Management Guidance September 2003
NCUA Letter to Credit Unions 03-CU-12: Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions Guidance August 2003
NCUA Letter to Credit Unions 03-CU-08: Weblinking: Identifying Risks & Risk Management Techniques Guidance April 2003
NCUA Letter to Credit Unions 03-CU-03: Wireless Technology Guidance February 2003
NCUA Letter to Federal Credit Unions 02-FCU-11: Tips to Safely Conduct Financial Transactions Over the Internet Guidance July 2002
NCUA Letter to Credit Unions 02-CU-13: Vendor Information Systems & Technology Reviews - Summary Results Guidance July 2002
NCUA Letter to Credit Unions 02-CU-08: Account Aggregation Services Guidance April 2002
NCUA Letter to Federal Credit Unions 02-FCU-04: Weblinking Relationships Guidance March 2002
NCUA Letter to Credit Unions 01-CU-21: Disaster Recovery and Business Resumption Contingency Plans Guidance December 2001
NCUA Letter to Credit Unions 01-CU-20: Due Diligence Over Third Party Service Providers Guidance November 2001
NCUA Letter to Credit Unions 01-CU-12: E-Commerce Insurance Considerations Guidance October 2001
NCUA Letter to Credit Unions 01-CU-09: Identity Theft and Pretext Calling Guidance September 2001
NCUA Letter to Credit Unions 01-CU-11: Electronic Data Security Overview Guidance August 2001
NCUA Letter to Credit Unions 01-CU-10: Authentication in an Electronic Banking Environment Guidance August 2001
NCUA Letter to Credit Unions 01-CU-04: Integrating Financial Services and Emerging Technology, NCUA Letter to Credit Unions 01-CU-04 Guidance March 2001
NCUA Regulatory Alert 01-RA-03: Electronic Signatures in Global and National Commerce Act Guidance March 2001
NCUA Letter to Credit Unions 01-CU-02: Privacy of Consumer Financial Information Guidance February 2001
NCUA Letter to Credit Unions 00-CU-11: Risk Management of Outsourced Technology Services Guidance December 2000
NCUA Letter to Credit Unions 00-CU-07: NCUA's Information Systems & Technology Examination Program Guidance October 2000
NCUA Letter to Credit Unions 00-CU-04: Suspicious Activity Reporting Guidance July 2000
NCUA Letter to Credit Unions 00-CU02: Identity Theft Prevention, NCUA Letter to Credit Unions 00-CU-02 Guidance May 2000
NCUA Regulatory Alert 99-RA-3: Pretext Phone Calling by Account Information Brokers Guidance February 1999
NCUA Regulatory Alert 98-RA-4: Interagency Guidance on Electronic Financial Services and Consumer Compliance Guidance July 1998
NCUA Letter to Credit Unions 97-CU-5: Interagency Statement on Retail On-line PC Banking Guidance April 1997
NCUA Letter to Credit Unions 97-CU-01: Automated Response System Controls Guidance January 1997
NCUA Letter to Credit Unions 109: Information Processing Issues Guidance September 1989

Office of the Comptroller of the Currency

Resource TitleTypeDate
12 CFR, 21, Subpart A: Minimum Security Devices and Procedures Regulations N/A
12 CFR, 21, Subpart B: Reports of Suspicious Activities Regulations N/A
12 CFR, 21, Subpart C: Procedures for Monitoring Bank Secrecy Act Compliance Regulations N/A
12 CFR, 30, Appendix A: Interagency Guidelines Establishing Standards for Safety and Soundness Regulations N/A
12 CFR, 30, Appendix B: Interagency Guidelines Establishing Information Security Regulations N/A
OCC Bulletin 2011-26: Authentication in an Internet Environment - Supplement Guidance June 28, 2011
OCC Bulletin 2005-35; Authentication in an Internet Banking Environment Guidance October 12, 2005
OCC Bulletin 2005-24: Threats from Fraudulent Bank Web Sites Guidance July 1, 2005
OCC Bulletin 2005-13: Response Programs for Unauthorized Access to Customer Information and Customer Notice: Final Guidance Guidance April 14, 2005
OCC Bulletin 2005-1: Proper Disposal of Consumer Information Guidance January 12, 2005
OCC Bulletin 2001-35: Examination Procedures for Guidelines to Safeguard Customer Information Guidance July 18, 2001
OCC Alert 2001-04: Network Security Vulnerabilities Guidance April 24, 2001
OCC Bulletin 1999-20: Certificate Authority Guidance Guidance May , 1999
OCC Alert 2000-9: Protecting Internet Addresses of National Banks Guidance July 19, 2000
12 CFR 41.83: Proper Disposal of Records Containing Customer Information Regulations
OCC Bulletin 2016-18: Cybersecurity of Interbank Messaging and Wholesale Payment Networks: FFIEC Statement Guidance June 7, 2016
OCC Bulletin 2016-14: FFIEC Information Technology Examination Handbook: Mobile Financial Services, New Appendix to the Retail Payment Systems Booklet Guidance April 29, 2016
OCC Bulletin 2000-14: Infrastructure Threats-Intrusion Risks Guidance May 15, 2000
OCC Alert 2000-1: Internet Security: Distributed Denial of Service Attacks Guidance February 11, 2000
OCC Bulletin 2015-44: FFIEC Information Technology Examination Handbook: Revised Management Booklet Guidance November 10, 2015
OCC Bulletin 2015-40: Cybersecurity: Joint Statement on Cyber Attacks Involving Extortion Guidance November 3, 2015
OCC Advisory Letter 2000-12: Risk Management of Outsourcing Technology Services Guidance November 28, 2000
OCC Bulletin 1998-3: Technology Risk Management Guidance February 4, 1998
OCC Bulletin 2015-31: FFIEC Cybersecurity Assessment Tool" (June 30, 2015) OCC Bulletin 2015-20, "Cybersecurity: Destructive Malware Joint Statement Guidance June 30, 2015
OCC Bulletin 2015-20: Cybersecurity: Destructive Malware Joint Statement Guidance March 30, 2015
OCC Bulletin 2015-19, "Cybersecurity: Cyber Attacks Compromising Credentials Joint Statement Guidance (March 30, 2015)
OCC Bulletin 2015-9: FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet Guidance February 6, 2015
OCC Bulletin 2014-53: Cybersecurity Assessment General Observations and Statement Guidance November 3, 2014)
OCC Bulletin 2014-17: Information Security Vulnerability in OpenSSL Encryption Tool ( ): Joint Statement Guidance April 25, 2014
OCC Bulletin 2014-14: Distributed Denial-of-Service Cyber Attacks, Risk Mitigation, and Additional Resources: Joint Statement Guidance April 3, 2014
OCC Bulletin 2014-13: Cyber Attacks on Financial Institutions' Automated Teller Machine and Card Authorization Systems: Joint Statement Guidance April 2, 2014
OCC Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance Guidance October 30, 2013
OCC Bulletin 2013-22: Windows XP Operating System: Joint Statement" Guidance October 7, 2013

OCC Bulletin 2011-26: Authentication in an Internet Banking Environment: Supplement

 Guidance June 28, 2011)
OCC Bulletin 2008-16: Information Security: Application Security Guidance May 8, 2008

OCC Bulletin 2007-45: Identity Theft Red Flags and Address Discrepancies: Final Rulemaking

 Guidance November 14, 2007

OCC Bulletin 2005-35: Authentication in an Internet Banking Environment: Interagency Guidance

 Guidance October 12, 2005
OCC Bulletin 2005-24: Threats From Fraudulent Bank Web Sites: Risk Mitigation and Response Guidance for Web Site Spoofing Incidents" Guidance July 1, 2005)
OCC Bulletin 2005-13: Response Programs for Unauthorized Access to Customer Information and Customer Notice: Final Guidance: Interagency Guidance Guidance April 14, 2005

OCC Bulletin 2005-1: Proper Disposal of Consumer Information: Final Rule

 Guidance January 12, 2005
OCC Bulletin 2001-35: Examination Procedures to Evaluate Compliance With the Guidelines to Safeguard Customer Information: Examination Procedures Guidance July 18, 2001)

OCC Bulletin 2001-8: Guidelines Establishing Standards for Safeguarding Customer Information: Final Guidelines

 Guidance February 15, 2001
OCC Bulletin 2000-14: Infrastructure Threats-Intrusion Risks: Message to Bankers and Examiners Guidance May 15, 2000
OCC Bulletin 1999-20: Certificate Authority Systems: Guidance for Bankers and Examiners
OCC Bulletin 1998-3: Technology Risk Management: Guidance for Bankers and Examiners Guidance February 4, 1998

Other References

Resource TitleTypeDate

ISACA Control Objectives for Enterprise IT Governance at www.isaca.org (The Information Systems Audit and Control Association & Foundation)

 Website N/A
Basel Committee on Banking Supervision: Sound Practices for the Management and Supervision of Operational Risk Publication February 2003

 

Previous Section
Appendix B: Glossary