| Booklet:
Supervision
of Technology Service Providers
Section: Multi-Regional Data Processing Servicer Program |
|||||||||||||||||||||||||||
An organization is considered for the Multi-Regional Data Processing Servicer (MDPS) Program when it processes:
|
|
Mission-critical applications for a large number of financial institutions that are regulated by more than one agency, thereby posing a high degree of systemic risk; or |
|
|
Work from a number of data centers located in different geographic regions. |
The FFIEC agencies examine MDPS organizations because these entities pose a systemic risk to the banking system should one or more have operational or financial problems or fail. Since these companies service banks, thrifts, and credit unions, the FFIEC conducts interagency IT examinations of these large TSPs. Interagency IT examinations provide a single examination report for the TSP management and the board of directors.
The MDPS program represents a cooperative arrangement among FFIEC agencies for the achievement of shared common supervisory goals and objectives. All FFIEC agencies participate in key decisions on MDPS examinations through the FFIEC IT Subcommittee. Prior to September 30th of each year, the FFIEC IT Subcommittee of the Task Force on Supervision determines a schedule of MDPS examinations designating the servicer, the date of the examination, and the agency-in-charge (AIC) for the following cycle. The IT subcommittee agency representatives distribute the schedule to their respective regional/district offices.
The following MDPS examination guidelines supplement the policies and procedures contained in FFIEC SP-1: “Interagency IT Examination, Scheduling and Distribution Policy” and SP-11: “Enhanced Supervision Program for MDPS.”
RESPONSIBILITIES
OF AGENCY-IN-CHARGE (AIC)
The FFIEC IT subcommittee selects one AIC for the supervision of each
MDPS company. The AIC administers the MDPS examination on behalf of all
participant FFIEC agencies during the rotating cycle.
The AIC assigns the EIC for the MDPS examination. The EIC is responsible for including the requirements of participating agencies in the supervisory strategy and scope of supervisory activities, leading the on-site examination, assigning the ratings, writing the ROE, communicating the status of the examination to participating agencies, and conducting follow-up activities. The EIC will also conduct periodic reviews as required by agency policy. As overall lead of the examination, the EIC must work closely and communicate frequently with appropriate representatives of participating agencies including headquarters, district/region, and field personnel.
It is the responsibility of the upcoming AIC to ensure that the examiner who will be responsible for the supervision of the TSP/MDPS in the future participates in the current examination to facilitate and ensure a smooth transition. Participation in the current examination ensures that the EIC for the next cycle is familiar with the entire MDPS operation.
RISK
RANKING OF MDPS EXAMINATIONS
Examiners will use the “Examination Priority Ranking Sheet”
contained in Appendix B to risk-rank each MDPS organization. Occasionally,
examiners will need to perform an unscheduled examination for areas of
evolving supervisory interest or concern. Examiners should monitor the
ongoing condition of MDPSs between examinations through regular off-site
or informal reviews. This information should be coordinated with the FFIEC
IT Subcommittee.
GENERAL
PROCEDURES
PRE-EXAMINATION PROCEDURES
The pre-examination review is conducted by the EIC of the AIC to determine
the scope of the overall examination, identify resource requirements,
schedule events, and determine which data centers, based on their level
of risk, should be examined. Based on this review, the EIC should prepare
a document providing details on the organization’s corporate history,
corporate and organizational structure, scope of the upcoming examination,
data centers included in the examination, data centers excluded from examination
and the reason why they are excluded, schedule of examinations, and examiner
resource requirements. The pre-examination review may include meetings
with MDPS management to discuss changes that have taken place since the
prior examination, or that may occur in the near future.
MDPS
EXAMINER-IN-CHARGE RESPONSIBILITIES
In addition to the duties previously assigned to the IT examiner-in-charge
in the supervisory process section of this booklet, the MDPS EIC is also
responsible for the following:
|
|
Scheduling and setting the scopes of MDPS examinations of corporate headquarters and remote data centers, based on input from all affected agencies; |
|
|
Coordinating resources to conduct examinations; |
|
|
Reviewing individual MDPS data center ROEs and resolving examination issues with the other agencies and MDPS management; |
|
|
Preparing the MDPS ROE, assigning ratings, signing the ROE and sending the ROE to the appropriate supervisory office for review and approval; |
|
|
Reviewing MDPS responses to ROE findings and recommending the appropriate response; and |
|
|
Adhering to the current FFIEC policies in place throughout the supervisory cycle. |
SCOPE
OF EXAMINATION
The EIC for the MDPS company develops the scope of the examination during
the pre-examination review and selects the data centers to be examined.
The AIC’s headquarters presents the scope document to the FFIEC
IT subcommittee for review and approval.
The EIC should complete the scope document and forward it to the AIC’s Washington office for review by the IT subcommittee at least 150 days before the target date for the first on-site activity. The subcommittee should have 30 days to review and approve the scope document. The agency’s headquarters office will distribute the examination scope document to the other regulatory agencies.
SUPERVISORY
TIMELINE
The EIC sets the time frames for examining the data centers and for the
submission of reports. Examinations of subsidiary data centers should
generally not begin more than 30 days prior to the target date of the
headquarters examination. The completed reports on these data centers
should be submitted to the EIC for consolidation prior to the start of
the headquarters examination. These reports should be sent within 30 days
of completion of the on-site activity.
PRESENTATION
OF FINDINGS AND RECOMMENDATIONS
The EIC will notify agency headquarters’ staff of the date, time,
and location of the presentation of examination findings and recommendations
to management of the MDPS company. Each participating agency will have
the opportunity to review the examination findings and be represented
at the presentation. Normally, MDPS examination findings are presented
first to senior management and then to the board of directors.
WORK
PAPERS AND WORKPROGRAMS
The lead examiner for each subsidiary data center must review work papers
to ensure that the examination findings are accurate and well documented.
The AIC should retain work papers and workprograms in its Washington,
regional, district, or field office as deemed appropriate by the AIC.
If work papers are electronic, the AIC will store them in a manner consistent
with its existing internal policies. If the AIC duties rotate, the current
AIC will provide an index of electronically stored work papers and copy
specific work paper documents at the request of the upcoming AIC.
REGULAR
OFF-SITE REVIEWS
The MDPS AIC is responsible for completion of regular off-site and any
interim ESP reviews. These reviews are used to assist in assessing controls,
confirm the URSIT ratings and assigned examination priority, and maintain
ongoing communications with the MDPS organization. These reviews should
focus on identifying significant changes in management and risk management,
new products and services, and mergers and acquisitions; determining inherent
risk to supervised financial institutions; and following up on any issues
or concerns. These reviews will generally be completed at least once between
regularly scheduled examinations. Reviews may be conducted through correspondence,
telephone interviews, or any other means determined to be appropriate
by the AIC.
REPORT
PREPARATION AND DISTRIBUTION
REPORT PREPARATION
The AIC is responsible for preparing a consolidated ROE. The ROE should
give an overall view of the organization and include an evaluation of
each data center examined. The ROE should contain an assessment of the
major risks to the financial institutions serviced by the MDPS organization,
recommendations for reducing or managing those risks, and management’s
responses to the findings and recommendations. The ROE should be prepared
following the guidelines in this handbook.
The reports for any subsidiary data centers examined should be summarized and consolidated in the corresponding sections of the final ROE. To facilitate distribution of the ROE to the serviced financial institutions, the examiner should document findings for each subsidiary data center on a separate page of the report. Or, as an alternative, a separate subsidiary data center report may be issued with the approval of the MDPS EIC, AIC, and other regulatory agencies. Deviations from the consolidated report format should be approved by the AIC’s headquarters office and by the other participating FFIEC agencies.
RATING
Each on-site MDPS examination will include one set of component ratings
and one composite rating, based upon the overall condition of its entire
operation. The MDPS ratings will follow URSIT (see Appendix D). Each MDPS
subsidiary data center examined requires a separate rating. The ratings
are disclosed to the subsidiary data center in a transmittal letter that
accompanies the report of examination to the TSP. Ratings are not reported
in the open section of the MDPS ROE; however, they are included in the
administrative section, which is not provided to serviced financial institutions.
The AIC of the MDPS examination should notify other FFIEC agencies’
supervisory offices prior to issuing URSIT composite ratings of 3, 4,
or 5, or engaging in informal or formal enforcement actions.
RECOMMENDATIONS
At the end of the examination, the MDPS EIC will provide recommendations
to the AIC’s supervisory office on resource requirements and the
scope of subsequent examinations. These recommendations will assist in
planning future MDPS examinations.
DISTRIBUTION
The AIC’s headquarters office is responsible for distributing the
final MDPS ROE to the TSP. The EIC will send the MDPS consolidated ROE
to the appropriate supervisory office within his/her agency for review
and approval before its distribution, as defined by his/her agency’s
procedures. The MDPS board of directors receives the open section of the
final ROE. The ROE is also routed to the FFIEC IT subcommittee members
for their distribution to their respective regulated, serviced financial
institutions. Serviced institutions should only receive those portions
of the report applicable to the services they receive. Some agencies’
policies also call for further distribution to appropriate state supervisory
agencies.