The federal banking, thrift, and credit union regulatory agencies have published guidance for examiners, financial institutions, and technology service providers on the acquisition and use of free and open source software (FOSS). FOSS refers to software that users are permitted to run, study, modify, and redistribute without paying a licensing fee. Some of the most well-known examples of FOSS are the Linux operating system, Apache web server, and mySQL database. The use of FOSS is increasing within the information technology and financial services industries.
The agencies are of the opinion that the use of FOSS does not pose risks that are fundamentally different from risks presented by proprietary or self-developed software. However, the acquisition and use of FOSS necessitates implementation of unique risk management practices. This guidance supplements the FFIEC IT Examination Handbook, "Development and Acquisition Booklet" by addressing strategic, operational, and legal risk considerations in acquiring and using FOSS.
Reserve Banks are asked to distribute this guidance to banking organizations and technology service providers supervised by the Federal Reserve. If you have any questions regarding this letter, please contact Adrienne Haden, Manager, Operational and Information Technology Risk, (202) 452- 2058 or Blaine Jones, Supervisory EDP Analyst, (202) 452-3759.