| Booklet:
Supervision
of Technology Service Providers
Section: Risk-Based Supervision |
|||||||||||||||||||||||||||
The FFIEC agencies base their IT examination process on the concept of on-going, risk-based supervision. Risk-based supervision of TSPs is designed to:
|
|
Identify existing or potential risks associated with the TSP that could adversely affect serviced financial institutions; |
|
|
Evaluate the overall integrity and effectiveness of the TSP’s risk management systems and controls; |
|
|
Determine compliance with any applicable laws or regulations that affect the services provided to financial institutions; |
|
|
Communicate findings, recommendations, and any required corrective actions in a clear and timely manner to TSP management, and as appropriate, to client financial institutions and supervisory personnel; |
|
|
Obtain commitments to correct significant deficiencies and verify the effectiveness of corrective actions; and |
|
|
Monitor any significant changes in a TSP’s products, services, or risk management practices that would adversely affect its risk profile or those of its client financial institutions. |
The FFIEC agencies’ risk-based supervision consists of the identification and selection of TSPs warranting examination by IT examiners, followed by the development of a risk-based supervisory strategy for each entity including any necessary follow-up reviews. This approach provides for examination coverage of selected TSPs including core application processors, electronic funds transfer switches, Internet banking providers, item processors, etc.
To assist in the scheduling and prioritization of TSP examinations, the FFIEC agencies use an “Examination Priority Ranking Sheet” (Appendix B). This worksheet groups TSPs into various supervisory priorities, based on the relative risk of their business lines, their client base, and their overall controls and risk management oversight. Higher-risk TSPs are subject to more frequent and extensive examinations and reviews.
Examiners develop an initial risk profile for a TSP from information gathered during examinations, from supervisory activities, and from reports prepared by independent third parties, for example, external audits.
When conducting IT examinations, examiners should focus on the underlying risk issues that are common to all IT activities:
|
|
Management of Technology—The planning and overseeing of technological resources and services and ensuring they support the strategic goals and objectives of the financial institution or TSP. |
|
|
Integrity of Data—The accuracy and reliability of automated information and associated management information systems. |
|
|
Confidentiality of Information—The protection of information from intentional or inadvertent disclosure to unauthorized individuals. |
|
|
Availability of Services—The effectiveness of business continuity programs and adherence to service-level agreements. |
|
|
Financial Stability—The maintenance of capital to support ongoing operations and the ability to generate a profit to support capital levels and the adequacy of liquidity due to potentially overvalued technology assets or cash shortages during times of rapid growth. Financial difficulties at the TSP can negatively affect the serviced financial institution through deteriorating quality of service, reliability of service, or adequacy of controls. |
RISK
ASSESSMENT
Transaction risk (also referred to as operational risk) is the primary
risk associated with TSP processing. Transaction risk may arise from fraud,
error, or the inability to deliver products or services, maintain a competitive
position, or manage information. It exists in each process involved in
the delivery of TSPs’ products or services. Transaction risk not
only includes operations and transaction processing, but also areas such
as customer service, systems development and support, internal control
processes, and capacity planning. Transaction risk also may affect other
risks such as credit, interest rate, compliance, liquidity, price, strategic
or reputation. Some other TSP risks include
|
|
Reputation risk—Errors, delays, or omissions in information technology that become public knowledge or directly affect customers can significantly affect the reputation of the serviced financial institutions. For example, a TSP’s failure to maintain adequate business resumption plans and facilities for key processes may impair the ability of serviced financial institutions to provide critical services to their customers. |
|
|
Strategic risk—Inaccurate information from TSPs can cause the management of serviced financial institutions to make poor strategic decisions. |
|
|
Compliance (legal) risk—Inaccurate or untimely data related to consumer compliance disclosures, or unauthorized disclosure of confidential customer information could expose financial institutions to civil money penalties or litigation. For example, TSPs often agree to keep disclosures or calculations in compliance with banking regulations, and their failure to track regulatory changes could increase compliance risk for their serviced financial institutions. |
|
|
Interest rate, liquidity, and price (market) risk—Processing errors related to investment income or repayment assumptions could increase interest rate risks of serviced financial institutions. |
Examiners should determine the degree of risk and the quality of risk management of the TSP at each examination. Their assessments of a TSP’s degree and quality of risk management should be discussed with TSP management and factored into the TSP’s “Examination Priority Ranking Sheet” and its supervisory ratings. Examiners also should explain how the TSP’s deficiencies increase the risk to the serviced institutions. For example, inadequate business resumption plans at the TSP may increase the transaction and reputation risks at serviced institutions.
The quantity of transaction/operational risk at a TSP is the level or volume of risk that exists. Examiners should consider the following factors in evaluating the quantity of transaction/operational risk:
|
|
Financial condition of the TSP |
|
|
Number of client institutions serviced |
|
|
Volume (both dollar value and quantity) of transactions processed for serviced financial institutions |
|
|
Aggregate size (both dollar value and quantity) of all regulated financial institutions serviced |
|
|
Number and type of product lines provided |
|
|
Reliability of the technology used |
|
|
Adequacy of business continuity planning |
The quality of transaction/operational risk management is an assessment of how well risks are identified, measured, controlled, and monitored. Examiners should consider the following factors in evaluating the quality of transaction/operational risk:
|
|
The quality of the TSP’s policies; |
|
|
The adequacy of the TSP’s control and operational processes; |
|
|
The extent of the TSP’s technical and managerial expertise; |
|
|
Directorate oversight; and |
|
|
The timeliness and completeness of management information systems that are used to measure performance, make decisions about risk, and assess the effectiveness of processes |
UNIFORM
RATING SYSTEM FOR INFORMATION TECHNOLOGY
The FFIEC agencies use the Uniform Rating System for Information Technology
(URSIT) to assess and rate IT-related risks of financial institutions
and TSPs. The primary purpose of the rating system is to identify those
entities whose condition or performance of information technology functions
requires special supervisory attention. This rating system assists examiners
in making an assessment of risk and compiling examination findings. Examiners
should use the rating system to help evaluate the entity’s overall
risk exposure and risk management performance, and determine the degree
of supervisory attention necessary to ensure that weaknesses are addressed
and that risk is properly managed. The FFIEC agencies require the use
of URSIT for all nonbank TSPs selected for examination.
The URSIT is based on a risk evaluation of four critical components: audit; management; development and acquisition; and support and delivery (AMDS). These components are used to assess the overall performance of IT within an organization (e.g., the composite rating). Examiners evaluate the functions identified within each component to assess the institution’s ability to identify, measure, monitor and control information technology risks. Please refer to Appendix D for additional information on composite and component URSIT ratings.
RISK
MANAGEMENT
The
FFIEC agencies recognize that management practices, particularly as they
relate to risk management, vary considerably among financial institutions
and TSPs, depending on their size and sophistication, the nature and complexity
of their business activities, and their risk profile. Accordingly, the
FFIEC agencies also recognize that for less complex information systems
environments, detailed or highly formalized systems and controls may not
be required.
Financial institutions should oversee their TSPs and perform due diligence in selecting their vendors, including a review of the risk management systems used by the TSP. Such reviews should include measures taken by the TSPs to protect information about financial institutions’ customers. Financial institutions should monitor their TSPs to confirm that they implement adequate security measures. As part of this monitoring, financial institutions should review information such as TSP service-level reports, audits, internal control testing results, and other equivalent evaluations of their TSPs.
Examiners
may identify situations where a TSP has weak risk management controls
requiring corrective action. In such situations, the TSP’s serviced
institutions may also have to take remedial actions since they have the
ultimate responsibility to properly manage their risks.
TSPs and financial institutions should monitor changes in laws, regulations,
and guidance that affect the services provided to financial institutions.
AUDIT
AND INTERNAL CONTROL
Well-planned, properly structured audit programs are essential to strong
risk management and effective internal control systems. Effective internal
and external audit programs are also a critical defense against fraud
and provide vital information to the board of directors about the effectiveness
of internal control systems. The FFIEC agencies encourage the use of well-supported
risk-based auditing. Through this process, the board, management, and
auditors can focus their resources on the areas of greatest risk.
Examiners’
assessments of the adequacy of audit and internal control assist in effectively
using supervisory resources, establishing the scope of current and future
supervisory activities, and assessing the quality of risk management.
TSPs with an effective risk-based auditing program typically require less
examination work by regulatory agencies.
Additional guidance on what examiners review in information system audit
and internal control functions can be found in the “Audit”
and “Management” booklets of the FFIEC IT Handbook.
SUPERVISORY
STRATEGIES
A supervisory strategy is a plan to provide effective, efficient examinations
for each organization. The supervisory strategy should address the supervisory
objectives, specific work plans, and the planned supervisory activities.
The examiner-in-charge (EIC) prepares the supervisory strategy that directs
the examination activities and reflects:
|
|
Statutory and policy-based examination requirements | |
|
|
Knowledge of the institution including | |
| -
|
Risk profile and risk management system; | |
| -
|
Strengths and weaknesses, including areas where examiners have noted exceptions in the past; | |
| -
|
Supervisory history; and | |
| -
|
Market
factors. |
|
OBJECTIVES
The EIC should base supervisory objectives for a TSP examination on the
TSP’s risk profile and appropriate statutory or agency standards.
The supervisory objectives are the foundation for all activities and work
plans. Well-defined objectives provide for focused and efficient activities
and ensure consistent and appropriate application of supervisory policy.
Supervisory objectives must be clear, attainable, specific, and action
oriented.
WORK PLANS
Examination work plans provide the documented methodology for achieving
the TSP supervisory strategies. Work plans detail the scope, timing, and
resources needed to meet supervisory objectives and strategies.
ACTIVITIES
Supervisory activities detail the steps that will achieve supervisory
objectives. Each activity should link directly to one or more of the supervisory
objectives. They should be focused on ensuring that risk management systems
operate effectively. Activities should include a plan for communicating
with the TSP (e.g., reports of examination, meeting with the board of
directors).