| Booklet:
Supervision
of Technology Service Providers
Section: Supervisory Process |
|||||||||||||||||||||||||||
This section reviews the process for examining a TSP. It explains the different types of FFIEC work products and details the responsibilities of IT examiners for TSP examinations.
|
|
Technology Service Provider (TSP) Examinations—TSPs include independent data centers, joint venture/limited liability corporations, and bank service corporations. The FFIEC agencies examine these entities to identify existing or potential risks that could adversely affect serviced financial institutions. |
|
|
Multi-Regional Data Processing Servicer (MDPS) Examinations—MDPS companies may be regional or national in scope and service more than one class of financial institution. The FFIEC IT subcommittee selects TSPs for the MDPS program based upon their systemic risk to the banking industry. For MDPS companies, the FFIEC agencies supplement on-site examination coverage with the Enhanced Supervisory Program (ESP). The ESP provides for interim reviews of material changes in the company’s activities or condition. The ESP allows each agency to more promptly recognize and supervise risks associated with systemically significant service providers. An ESP visitation usually results in a letter to the board of directors communicating any findings or concerns. |
|
|
Shared Application Software Review (SASR)—An SASR is typically an interagency review of software programs or systems in use at financial institutions. The primary objective of these reviews is to identify potential systemic risks posed by such programs or systems. SASRs can help reduce the time and resources needed to examine software systems at individual financial institutions. |
|
|
Follow-Up
Review—The purpose of these reviews is to maintain communications
with TSPs between on-site examinations; to identify significant
changes in management, products, services, or risk management practices
affecting serviced financial institutions; to follow up on any issues
or concerns previously identified; and to confirm business-line
and service provider risk designations and the resulting examination
priority, and to update supervisory strategies. |
FREQUENCY
OF IT EXAMINATIONS
The frequency of IT examinations varies based on the risk profile of the
TSP (i.e., the lower the risk, the less often examinations need to be
done). Examiners determine risk based upon the TSP’s risk factors
noted on the FFIEC “Examination Priority Ranking Sheet” in
Appendix B. The ranking sheet contains the business line risk rankings,
TSPs’ risk categories, and recommended examination priority. Having
established the examination priority, examiners use the “Summary
of Supervisory Approach”, contained in Appendix B, to determine
the required frequency for supervisory activities. Occasionally, examiners
will need to perform an unscheduled examination for areas of evolving
supervisory interest or concern. In all cases, the IT examinations of
TSPs that service more than one type of financial institution must be
coordinated among the regulatory agencies during scheduling meetings held
at the district/region or subcommittee levels, depending on the TSP involved.
EXAMINATION
RESPONSIBILITIES
The EIC is responsible for the administration and overall performance
of the IT examination. These responsibilities include, but are not limited
to:
|
|
Developing and maintaining an effective risk-based strategy and examination scope; |
|
|
Communicating and coordinating all supervisory activities including examination planning, meetings, and written communication with the appropriate supervisory office, agency-in-charge, and participating agencies; |
|
|
Assisting in scheduling interagency examinations; |
|
|
Communicating examination plans with the TSP to coordinate on-site activity before the examination begins; |
|
|
Supervising the examination team to ensure the ratings, examination conclusions, procedures, work papers, and workdays are consistent with, and completed in accordance with, the approved supervisory strategy; |
|
|
Holding exit conferences with management and the board of directors, as appropriate, to review examination findings and recommendations for follow-up; and |
|
|
Writing the report of examination. |
The supervisory office for the agency-in-charge (AIC) will assist the examiners by
|
|
Coordinating interagency reviews; |
|
|
Ensuring that TSPs within its areas of responsibility receive IT examinations consistent with FFIEC policy outlined in Appendix B; |
|
|
Enforcing compliance with interagency agreements relating to TSP supervision; |
|
|
Ensuring appropriate staffing for examinations; |
|
|
Attending exit meetings, as appropriate; |
|
|
Reviewing and distributing the report of examination (ROE) to the TSP and the appropriate FFIEC agency offices; and |
|
|
Overseeing the potential distribution of ROEs to its regulated, serviced financial institutions. Each FFIEC agency is responsible for distributing ROEs to the serviced financial institutions it regulates. |
EXAMINATION
PLANNING
Examination planning is essential to effective supervision. Planning helps
examiners develop risk-based strategies to effectively and efficiently
examine each TSP. Planning begins with an examiner’s assessment
of current and anticipated risks. Examiners should give special attention
to mergers and acquisitions, new products or services offered, and management
changes. The EIC must gather, organize, and analyze available information
prior to beginning an on-site IT examination. The extent of advance preparation
depends on the complexity of the TSP’s structure and on the type
of services provided. Sources of information include, but are not limited
to:
|
|
Approved supervisory strategy; |
|
|
Prior examination reports, work papers, and recommendations; |
|
|
Supervisory actions and correspondence; |
|
|
Internal and external audit reports, when available; |
|
|
Internal risk assessments or other reviews including security testing; |
|
|
Interim correspondence and memoranda related to the TSP; |
|
|
Financial statements and stock research reports; |
|
|
News reports; |
|
|
The TSP’s Web site, as applicable; and |
|
|
SEC filings for public companies. |
A work program to assist with planning is located in Appendix A.
EXAMINATION
SCOPE
The EIC should determine the scope of examination work and estimate the
workdays required for completion. For examinations of TSPs that have more
than one data processing center, the EIC should evaluate the subsidiary
data centers for risk. The scope should cover the headquarters location
and any data center chosen in the planning stage. The EIC should prepare
a scope memorandum that identifies the risks highlighted in the last examination,
areas for further review, and examination schedule information. The scope
memorandum also should outline the objectives of the examination, assignments,
workday budget, and other relevant information.
During the task of setting the scope and throughout an examination, EICs should maintain regular communications with their supervisor and other agencies, if appropriate. EICs should promptly communicate any significant anticipated changes in scope, projected staffing, or completion dates to the supervisory office and their examination team.
REQUEST INFORMATION
At least four weeks prior to the start of the examination, the EIC should
communicate with the TSP, notifying it of the upcoming examination. The
communication should request items the TSP should have ready when the
examiners arrive.
ENTRANCE
MEETING
The EIC should schedule an entrance meeting with key TSP staff members
to introduce the examination team and to identify primary points of contact
for specific areas of review. The agenda of the entrance meeting should,
at a minimum, include the following:
|
|
Significant management or audit concerns; |
|
|
Significant planned or anticipated changes and developments in IT hardware or software; |
|
|
Effects of new developments since the last examination (e.g., changes in control or management); |
|
|
Actions taken to correct issues discussed in prior examination and audit reports; |
|
|
Financial performance; |
|
|
Significant changes in operations, strategies, services offered or client base; |
|
|
Economic and competitive conditions in market area; |
|
|
Plans for meetings with management or audit to update them on examination status; and |
|
|
Standard contract provisions between the TSP and its customers. |
The EIC should also plan to meet frequently with TSP management to inform them of the progress of the review.
WORK
PAPERS
Work papers are used to document IT examination procedures and support
conclusions. Work papers should be prepared for every area reviewed during
the examination. They must provide sufficient documentation for a reviewer
to understand what was done, why it was done, and how conclusions were
reached. The work papers for each area should contain only essential information
that supports conclusions, violations of law or regulations, or any applicable
corrective actions. The work papers should also clarify what needs to
be done about the conclusions, either by the TSP or the AIC.
All conclusions must be properly documented and maintained in the examination’s work papers. Examiners may obtain documentation by inspection, observation, inquiry, confirmation, or analytical tests. The EIC has the responsibility for reviewing all examination-related work papers prior to leaving the examination. The review should ensure that the overall quality of work papers is consistent with member agency standards.
Work papers are the joint property of the FFIEC agencies noted in the ROE. Examiners must secure work papers at all times. The IT examiner may not release examination work papers or ROEs outside of the FFIEC agencies without proper authorization.
Examiners and FFIEC agencies’ staff must maintain control over all sensitive examination-related information on their portable computers. Following the completion of the examination, examiners and staff should promptly remove examination-related information from their portable computers. If work papers are kept in an electronic format, agency personnel should protect the confidentiality of work papers by sharing them only through secure communications that protect the documents from unauthorized access.
EXIT
CONFERENCE
The objective of the exit conference is to communicate clearly the examiner’s
findings, conclusions, and recommendations, and to obtain/confirm management’s
commitment to any recommended corrective action. The EIC arranges the
exit conference and prepares an agenda. The agenda should include the
main issues contained in the draft examination report. All potential attendees
should be informed of the meeting time and location several business days
before the meeting date.
Before the meeting, the EIC should review all conclusions and recommendations with lower and mid-level management of the TSP. The EIC should research any disagreements before the exit conference to both validate the examination concern and to build additional support where needed.
BOARD
MEETING
The EIC has the responsibility for presenting the ROE findings and conclusions
at board meetings for composite 3-, 4-, and 5-rated TSPs. The AIC of the
TSP examination should notify other FFIEC member agencies’ supervisory
office prior to issuing URSIT composite ratings of 3, 4 or 5 or engaging
in informal or formal enforcement actions. A representative from the AIC
should attend the meetings.
Examiners have the discretion to schedule board meetings for TSPs rated 1 or 2 when justified by the issues or other factors.
FFIEC
IT REPORT OF EXAMINATION
The FFIEC has a uniform ROE format for IT examinations at TSPs. The ROE
and preparation instructions are contained in Appendix C. The ROE contains
an “Open Section,” which is distributed to the TSP, and an
“Administrative Section” that contains information for FFIEC
agencies use only. All significant findings and conclusions, including
management comments, should be presented in the open section (i.e., unsafe
and unsound practices, noncompliance with statutes and regulations, and
deficiencies noted). Matters of a proprietary nature and administrative
information for agency use should be reported in the administrative section
of the report.
The report should be completed by the EIC within 45 days of leaving the TSP or MDPS site. The supervisory office has an additional 15 days to review, revise, approve, and issue the report.
REPORT
DISTRIBUTION
The ROE is generally distributed to three primary groups: the TSP, FFIEC
agencies and serviced financial institutions. The ROE is distributed according
to the following table:
| ROE
Components |
Service
Provider |
FFIEC
Agencies |
Serviced
Financial Institutions |
Transmittal
Letter |
X |
X |
|
Open
Section |
X |
X |
X
|
Administrative
Section |
X |
Each
FFIEC agency distributes TSP examination reports to serviced financial
institutions either automatically or upon request. Reports are automatically
distributed to serviced financial institutions when the TSP receives a
composite IT rating of 4 or 5. In addition, all serviced financial institutions
can receive a copy of the ROE from their primary regulator if the financial
institution is on the customer list of the respective ROE or the institution
can provide documentation reflecting that it contracted with the TSP subsequent
to the examination.