Booklet: Supervision of Technology Service Providers
Section: Introduction
 

 

 

 

 

The “Supervision of Technology Service Providers” booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook and rescinds chapters 2–7 of that handbook. This booklet primarily governs the supervision of technology service providers (TSPs)additional information. and briefly summarizes the Federal Financial Institutions Examination Council (FFIEC) member agencies’ (agencies) expectations of financial institutions in the oversight and management of their TSP relationships. This booklet outlines the agencies’ risk-based supervision approach, the supervisory process, and the examination ratings used for information technology (IT) service providers.additional information. In addition, this booklet discusses two special IT-related programs administered by the FFIEC agencies: the Multi-Regional Data Processing Servicer (MDPS) Program, geared towards examining large TSPs, and the Shared Application Software Review (SASR) Program aimed at reviewing mission-critical software packages.

Many financial institutions outsource IT processing to a TSP. A financial institution’s use of a TSP to provide needed products and services does not diminish the responsibility of the institution’s board of directors and management to ensure that these activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations. Financial institutions should have a comprehensive outsourcing risk management process to govern their TSP relationships. Such processes should include risk assessment, selection of service providers, contract review, and monitoring of service providers.additional information. Many TSP relationships should be subject to the same risk management, security, privacy, and other internal controls and policies that would be expected if the financial institution were conducting the activities directly. This handbook primarily focuses on how the agencies review TSPs based upon risk. For more details on how to assess institutional risk, refer to the other booklets in this series.

To help ensure that the client financial institutions operate in a safe and sound manner, the services performed by TSPs are subject to regulation and examination.additional information. The federal financial regulators have the statutory authority to supervise all of the activities and records of the financial institution whether performed by the institution or by a third party on or off of the premises of the financial institution. Accordingly, the examination and supervision of a financial institution is not hindered by a transfer of the institution’s records to another organization or by having another organization carry out all or part of the financial institution’s functions.additional information.