Booklet: Supervision of Technology Service Providers
Section: Appendix B: Examination Priority Ranking Sheet
 

 

 

 

 

I.

Agency-In-Charge:

 

FDIC

_________

FRB

_________

NCUA

 _________

OCC

 _________
OTS
 _________
                         
 
Agency Representative
         Phone            
 
____________________________
     ____________________________      
                         
 
Location(Office)
        Email            
 
____________________________
     ____________________________      
 
                     
Divider
 
II.
Technology Service Provider Name:
_________________________________________________________________
 
 
 
Corporate Address:
_________________________________________________________________
 
Divider
 
III. Business Line Risk Ranking
Higher
 _________
Average
 _________
Lower
 _________
 
  Business Lines: (Check ALL that apply)
 
Higher Risk: Average Risk:
_________ Asset Management Processing _________ ACH Processing
_________ Clearing and Settlement _________ Aggregation & Other Emerging Technologies
_________ Core Bank Processing _________ ATM/POS Processing and Switching
  Corporate Electronic Banking/Cash _________ Asset/Liability Management
_________ Management _________ Credit Card Merchant Processing
_________ Disaster Recovery Services _________ Credit Card Network/Switching
_________ Wholesale Payments _________ Credit Scoring
    _________ Employee Benefit Account Processing
Lower Risk: _________ Loan and Mortgage Processing
_________ Bill Payment Services _________ Investment Processing
_________ Check Processing


_________

 Retail Electronic Banking/Transactional Web Site Hosting
_________ Credit Card Issuance    
_________ Imaging and Electronic Safekeeping    
_________ Web Site Hosting (informational)    
 
Divider
 
IV. TSP Risk Category:
Higher
 _________
Average
 _________
Lower
 _________
 
  Risk Factors: (Select only ONE, Higher, Average, or Lower for each Factor)
 
Factor  
Higher Risk:
Average Risk:
Lower Risk:
NA*
1
Check Box
 Large client base (250 or more supervised financial institutions, or based on other measures, e.g., aggregate client assets affected, transaction volume)

Check Box

 Moderate-sized client base (at least 25 but not more than 249 supervised financial institutions, or based on other measures, e.g., aggregate assets affected; transaction volume).

Check Box

 Small client base (less than 25 supervised financial institutions, or based on other measures, e.g., aggregate client assets affected; transaction volume).

Check Box

2
Check Box
 Company rated URSIT 3, 4, or 5 at last examination.
Check Box
 Company rated URSIT 2 at last examination.
Check Box
 Company rated URSIT 1 at last examination.

Check Box
3
Check Box
 Client institutions do not provide effective oversight; SAS 70 reports and other audit reviews are not comprehensive.
Check Box
 Client institutions provide limited oversight; SAS 70 reports and audits cover most areas.
Check Box
 Client institutions provide effective oversight; SAS 70 reports and other audit reviews are comprehensive.

Check Box
4
Check Box
 Company is using new or untested technology or products. Company is undergoing significant organizational change.
Check Box
 Company is using stable technology and products but implements significant upgrades. Company has minimal organization changes.
Check Box
 Company is using stable technology and products. Company has stable organizational structure.

Check Box
5
Check Box
 Client institutions or their examiners have reported problems or concerns that require supervisory follow-up.
Check Box
 Client institutions or their examiners have reported minimal problems or concerns that require supervisory follow-up.
Check Box
 Client institutions or their examiners have reported no problems or concerns that require supervisory follow-up.

Check Box
 
* If NA briefly explain in comment section below
4/25/02
 
Divider
 
V. AIC’s Recommended Examination Priority:
A
_________
B
_________
C
_________
NA*
_________
 

Business Line Risk
Higher

Business Line Risk
Average

Business Line Risk
Lower

Service Provider Risk
Higher

Examination Priority
A

Examination Priority
A

Examination Priority
B

Service Provider Risk
Average

Examination Priority
A

Examination Priority
B

Examination Priority
C

Service Provider Risk
Lower

Examination Priority
B

Examination Priority
C

Examination Priority
C
*Not Applicable ranking refers to a service provider not warranting interagency examination - Not all service providers have to be ranked A, B, or C.
 
Divider
 
Recommend for MDPS Program: Yes _________ No _________ (If yes, provide support for recommendation in comment section below)
 
Divider
 
VI. Agency Agreement on Examination Priority:  
Yes
_________
No*
_________
* If NO, explain in comment section below.
 
Agency: Include name and phone # of agency representative
Ranking
FDIC: ___________________________________________________________________________ ______________
FRB: ___________________________________________________________________________ ______________
OCC: ___________________________________________________________________________ ______________
OTS: ___________________________________________________________________________ ______________
NCUA: ___________________________________________________________________________ ______________
 
Divider
 

VII.

Comments:
 

 
Divider

SUMMARY OF SUPERVISORY APPROACH
Exam
Priority
On-Site Examinations
Off-Site/ Informal Monitoring
Other
A
 Interagency on-site examinations should be conducted at least every 24 months sufficient to establish or confirm URSIT ratings and determine appropriate off-site monitoring strategy.

Regular off-site or informal reviews (generally at least once between examinations) to confirm the risk ratings and assigned examination priority and maintain ongoing communication with the service provider. Reviews should focus on identifying significant changes in management and risk management, in the quantity of inherent risk to supervised financial institutions, or in products or services affecting financial institutions, and following up on any issues or concerns.

Regular review of monitoring and oversight by client institutions and user groups.

A concise product/service review document will be provided (or updated) annually for internal use by regulatory examiners in assessing controls in place at client institutions.
B
 Interagency on-site examinations should be conducted at least every 36 months sufficient to establish or confirm URSIT ratings and determine appropriate off-site monitoring strategy. Discussions with company management, limited scope visits, reviews of significant product and service issues, or other alternative supervisory strategies can satisfy the on-site supervision requirement. Same as above for Priority A. Same as above for Priority A.
C
 Infrequent on-site examinations. For example, the supervisory strategy may call for an initial on-site visitation or limited scope examination. Periodic (generally at least every 18 months) off-site or informal reviews to confirm the risk ratings and assigned examination priority and obtain information for product/service review documents. Reviews should focus on identifying significant changes in management and risk management, in the quantity of inherent risk to financial institutions, or in products or services affecting financial institutions, and following up on any issues or concerns.

Same as above for Priority A.

Product/service review document may be combined with off-site/informal review documentation.
 
Divider
 

GENERAL INSTRUCTIONS FOR COMPLETING EXAMINATION PRIORITY RANKING SHEETS:
Only one “Examination Priority Ranking Sheet” (EPR) should be completed for each TSP, regardless of the fact that the TSP may have multiple processing sites. Although risk levels at individual processing sites may vary, the EPR should reflect the aggregate risk posed by the company’s activities.

The Agency-In-Charge (AIC) will coordinate the risk ranking of each TSP under its supervision. The ERP ranking form should not be modified or edited in any way.

At the conclusion of each examination the AIC is responsible for

Bullet

 Completing Sections I through V of the EPR for each TSP.
 
-
Section III Business Line Risk Ranking—If a business line is checked in more than one risk ranking category, the AIC should assess all of the business lines and risks together before arriving at an overall Business Line Risk Rank.
 
-
Section IV Service Provider Risk Category—If factors are selected from more than one risk-ranking category, the AIC should assess all of the risks before arriving at an overall “Service Provider Risk.” Rating one risk factor “Higher Risk” does not automatically result in the TSP having an overall “Higher Risk” rank.
Bullet

Distributing copies of the completed EPR to its counterparts at the other FFIEC agencies.

Bullet

Collecting from its counterparts the EPRs indicating agency agreement/disagreement, consolidating the findings under section VI, and resolving any priority disagreements to the extent possible. The AIC should retain all documentation supporting the priority designation and agency agreement/disagreement. The FFIEC IT subcommittee may request submission of the supporting documentation on a random basis or in instances of agency disagreement.
Bullet

Documenting the basis for the disagreement in the comment, section VII, for those rare occasions when a resolution cannot be reached.
Bullet

Forwarding the completed ERP to the other agencies’ representatives.

Agency representatives receiving EPR from the AIC are responsible for

Bullet

Reviewing sections I through V;
Bullet

Completing sections VI and VII as applicable;
Bullet

Returning the completed form to the AIC by the requested response date; and
Bullet

Retaining a copy for their records.