IT Examiner School eBook May 2025

Internal Use Only

Use of Supervisory Guidance

Examiners will not criticize a supervised FI for, or issue an enforcement action on the basis of, a “violation” of or “non-compliance” with supervisory guidance.

Examiners may reference guidance to provide examples of safe and sound conduct, appropriate risk management practices, and/or actions for addressing compliance with laws or regulations Supervisory criticisms should address matters that could have a negative effect on Safety and Soundness, cause consumer harm, result in violations of laws, regulations, final agency orders, or other legally enforceable conditions

Important Note: Check with your own agency, as the approach may differ from that of the federal agencies.

Source: https://www.ecfr.gov/current/title-12/chapter-III/subchapter-A/part-302

Internal Use Only

Regulatory Authority Examples: Non-Depository Institutions

Regulators / Licensure CFPB, FTC, States

Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.

Type of Entity

Mortgage Originators and Servicers

16 CFR 314; 501 and 505(b)(2) of GLBA; State Laws and Regulations (e.g., Part 500 and CCPA).

Money Service Businesses / Money Transmitters

FTC, States

Consumer Finance

CFPB, FTC, States