The Federal Financial Institutions Examination Council (FFIEC) recently announced a revision to its Supervision of Technology Service Providers booklet (TSP Booklet).  Concurrently, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency issued Administrative Guidelines for the Implementation of the Interagency Program for the Supervision of Technology Service Providers (Guidelines).

The revised TSP Booklet updates the previous version dated March 2003.[1]  This booklet, which is part of the FFIEC Information Technology Examination Handbook, provides guidance for examiners and financial institutions on the supervision of technology service providers (TSPs).  It describes the federal banking regulators’ statutory authority to supervise third-party service providers that enter into contractual arrangements with regulated financial institutions, outlines the regulators’ risk-based supervision program, including the Uniform Rating System for examinations to uniformly assess IT related risks.  According to the revised TSP Booklet:

  • outsourced activities should be subject to the same risk management, security, privacy, and other internal controls and compliance policies as if such functions were performed internally by such financial institution;
  • a financial institution’s board of directors and management have the ultimate responsibility for ensuring outsourced activities are properly managed.

The TSP Booklet outlines processes for inter-agency examinations of technology service providers who have access to bank networks, or who possess (host) nonpublic personal information owned by banks.  The Uniform Rating System used to rate the risks of financial institutions and their TSPs cover four categories: 1) Audit, 2) Management, 3) Development and Acquisition, and 4) Support and Delivery.  Such examinations are based on risk-based supervision, including the FFIEC’s identification and selection of TSPs warranting scrutiny as well as guidelines for the development of a risk-based supervisory strategy for such TSPs.  The FFIEC has identified operational risk as the primary risk associated with TSP processing, and the examinations of TSPs will focus on the following underlying risk issues that affect the client financial institutions or the institutions’ customers:

  • Management of technology
  • Integrity of data
  • Confidentiality of information
  •  Availability of services
  • Compliance
  • Financial stability

Other risks include reputation risk, strategic risk, compliance risk and credit/pricing risks.  The FFIEC  recommends that financial institutions tailor their risk management practices to the nature and complexity of their business activities, conduct sufficient due diligence in selecting TSPs as well as on-going audits.

[1] The Guidelines and the corresponding updates to the TSP Booklet rescind FFIEC Supervisory Policy-1, “Interagency EDP Examination, Scheduling, and Distribution Policy” (September 1991), and FFIEC Supervisory Policy-11, “Enhanced Supervision Program (ESP) for Multidistrict Data Processing Servicers (MDPS)” (January 1995). In addition, SR letter 95-7, “Enhanced Supervision Program for Multidistrict Data Processing Servicers,” is superseded by the revised TSP Booklet.