Booklet: Supervision of Technology Service Providers
Section: Appendix C: Report of Examination - Guidelines
 

 

 

 

 

GUIDELINES FOR COMPLETING
Each FFIEC agency may supplement the following guidelines with additional instructions. Examiners must complete all required pages.

SECTIONS OF ROE
The ROE will include a transmittal letter. This letter, sent to the board of directors, includes the rating assigned to the TSP. This is to prevent ratings disclosure to, or discussions with, the serviced financial institutions. The lead agency designee should sign the transmittal letter.

The open section of the report should contain all significant matters. The open section is distributed to examined entities. FFIEC agencies may distribute the open section to serviced financial institutions receiving the services covered by the examination.

Examiners should reflect matters of a proprietary nature in the administrative section of the report. Examples of proprietary information include, but are not limited to, marketing plans, development plans, and certain contract terms. The administrative section is confidential and for regulatory agency use only.

OPEN SECTION—REQUIRED AND OPTIONAL PAGES
COVER PAGE (REQUIRED)
Interagency reports of examination should use the standard interagency cover page. Each agency has the option of using either its own cover page or the standard FFIEC cover page on its institution’s examinations.

TABLE OF CONTENTS (OPTIONAL)
The use of this page is at the discretion of the respective FFIEC agencies. If an agency decides to use this section, they should list sections in the order of their appearance in the report.

EXAMINER’S CONCLUSIONS (REQUIRED)
Information should include:

Bullet

 Scope and Objectives of the Examination—A description of areas examined and procedures employed.
Bullet

Summary of Major Findings—A general description of major examination findings.
Examiners should present findings in the order of their importance. Examiners should include references to areas where they identified significant operational and procedural deficiencies or internal control weaknesses. Examiners should refer readers to the specific “Supporting Comments” page(s) for detailed descriptions of these findings and recommendations for corrective action.
The last paragraph under this subheading should include a list of who attended meetings where examination findings were discussed. The list should be limited to those persons with broad responsibility for the major areas examined (i.e., IT audit, IT management, development and acquisition, and support and delivery). Senior management responsible for information systems operations should always be included.
Examiners should direct comments in the summary section to the attention of the board of directors and senior management. Comments should be brief, non-technical, and limited to the most significant issues. Examiners should describe the findings in terms of the risk(s) presented and potential effect on the serviced financial institutions and their customers.
Bullet Conclusions—A summary of the overall condition of the information systems examined, including comments on the improvement or deterioration of the operation. Examiners should avoid single-word evaluations, such as “good,” “fair,” “poor,” “strong,” or “weak.” The summary should include, as appropriate, brief comments about past performance (with emphasis on effecting corrective measures), the seriousness of existing weaknesses, and future prospects for the information system. Information on any corrective action that management agreed to take should be included.
Bullet Composite Rating—These remarks should document the performance evaluation of the entity. Following the numerical composite rating, the exact language for that rating, found in Appendix D, should be inserted so board members and management have a clear and common understanding of the examiner’s overall conclusions. Supporting comments should precede the composite rating in this section of the report. However, the rating and definition are not included in the open section of the reports on entities servicing other data centers and/or financial institutions.

Bullet

Signatures—The authoring EIC must sign the report at the bottom of the “Examiner’s Conclusions” page. Other signatures required by the authorizing agency should follow and include appropriate titles.

VIOLATIONS OF LAWS AND REGULATIONS (OPTIONAL)
Examiners should complete this page when they discover specific violations of laws or regulations. Examiners should cite the law or regulation violated followed by a brief description of the violation and management’s response/corrective measures.

SUPPORTING COMMENTS (REQUIRED)
This ROE section should include comments addressing operating and procedural deficiencies and internal control weaknesses identified during the examination. Detailed comments should support the findings cited in the “Examiner’s Conclusions” section. Supporting comments should be categorized within the URSIT component categories in the order of relative importance consistent with the “Examiner’s Conclusions” page.

Each URSIT component section (audit, management, development and acquisition, and support and delivery) should start with a summary supporting the rating assigned to that component. Comments should convey a clear assessment of the condition of each function. The actual numerical rating should not be included on the supporting comments pages, but should be included in the confidential section and on the “Examiner’s Conclusions” page if appropriate in accordance with the instructions for that page. Items deemed confidential in nature should be included only in the closed section of the report. Ratings justifications contained on the “Supporting Comments” page should not be duplicated in the confidential pages.

Comments for each deficiency should, at a minimum, include:

Bullet

 A detailed description of the deficiency, identifying the risk to the organization and serviced financial institution if not addressed by management;

Bullet

 Examiner’s recommendation to address the deficiency;

Bullet

 Management’s response and corrective action plan; and

Bullet

 The examiner’s analysis of management’s response (if necessary).

The description of examination findings must be in terms of the risks they present and their effect on the organization and its financial institution customers.

Examiners should make every effort to obtain management’s commitment to a reasonable time frame for implementing corrective measures. Examiners should highlight and reinforce deficiencies noted in consecutive examinations. If a significant number of repeat deficiencies are noted, this information should be reported in the “Examiner’s Conclusions” section of the report and should be commented upon in the management section of the report.

Note: The “Supporting Comments” section should only contain substantive items. Examiners should discuss less significant items with management. If appropriate, examiners may list less significant items separately. That list should be provided to management and a copy retained in the work papers for the examination. Management’s responses should be noted on the list. If appropriate, the list can be referenced on the “Supporting Comments” pages or in the “Examiner’s Conclusions” section.

DIRECTORS’ SIGNATURE PAGE (REQUIRED)
This page should be included in all IT ROEs. Once the final ROE is returned to the directors, they should be instructed in the transmittal letter sent by the supervisory agency to fully review the IT ROE at a following board of directors meeting. Once this review has occurred, the directors must sign and date the “Director’s Signature Page” to attest to the fact that each of them has personally reviewed and understand the contents of the IT ROE.

ADMINISTRATIVE SECTION—REQUIRED AND OPTIONAL PAGES
This section should only contain matters that are considered inappropriate for disclosure in the open section of the examination report. In addition, financial data should be included for all TSPs. Basic information about the TSP, the type of examination, and the participating supervisory agencies should also be included in the administrative section. The “Type of Examination-Agency” subsection should indicate whether the examination is joint or rotated and the authoring agency identified by the appropriate abbreviation, (e.g., FDIC, FRB, NCUA, OCC, OTS). For multi-site examinations, examination hours reported in the corporate report should include the total time for all locations examined.

ADMINISTRATIVE REMARKS (REQUIRED)
These remarks should document the performance evaluation of the entity in accordance with the URSIT. For multi-site examinations, all subsidiary data center ratings should be included in this section and summarized. The numeric ratings and accompanying comments should include recommendations for follow-up action and any additional comments.

STATISTICAL DATA (REQUIRED)
This section should contain statistical information necessary to supervise the institution/TSP adequately and process the report. Examiners should request this information at or before the beginning of the examination. Instructions for completing these pages include:

Bullet

 Applications – Present a list of the major applications processed by the TSP for itself and for serviced financial institutions that are federally insured. Examiners should number the applications sequentially, i.e., 1, 2, 3, 4, under the heading “Code.” The sequence number will serve as a key for the “Serviced Financial Institutions” portion. The “Application listing” should include the software package name and the name of the vendor and the vendor’s location (city and state). The “Application” portion should indicate the processing mode(s) for each application listed.
 
-
Batch updating—Daily transaction activity accumulates off line. Updating of master files takes place at the end of the processing cycle (usually daily).
 
-
Memo post/On-line updating—Transaction activity is posted to a copy of the master files throughout the day as deemed appropriate by the institution in order to show updated balances. Actual posting to accounts occurs via batch updating at the end of the processing cycle.
 
-
Real-time updating—Transactions are posted to the customer’s (master) file as they occur.

 

 Note: If appropriate, indicate the combinations of these processing modes.

Bullet

Serviced Financial Institutions—List names and locations of federally insured serviced financial institutions. The list must be grouped by regulatory category first, followed by state:
 

-

National banks
 

-

State member banks
 

-

State nonmember banks
 

-

Savings associations
 

-

Credit unions

 

Note: This listing can either be included in the IT ROE or in a separate document. Examiners should identify applications processed in the right-hand columns, using the keys assigned in the application section.

Bullet

Other Servicing—Reflect the number of nonbank entities which the TSP provides services to and the types of processing performed for these organizations.

SYSTEM AND ORGANIZATION INFORMATION (REQUIRED)

Bullet

System Description—Provide details of the major hardware, software, and, if applicable, networking configurations used by the facility:
 

-

Hardware: At a minimum, specify the manufacturer, model numbers, and core storage capacity of the mainframe used. Detail other information as appropriate or as required by the individual agencies.
 

-

Software: Indicate the primary programming languages used and the major sources of software; e.g., developed in-house, software packages, contract programmers, etc. If purchased/licensed software packages are used, list the vendor(s).
 

-

Network: Indicate the general configuration of the system, specifying remote entry sites and free standing satellite centers.

Bullet

Organizational Structure—Provide general staffing and examination contact information. The total number of employees may not necessarily be the sum of the numbers appearing in the spaces for development and acquisition and support and delivery personnel. Also, list principal officers and managers responsible for the center’s operation by name, title, telephone number, and e-mail address. If the organization is a financial institution, provide total asset and deposit figures. If the organization is not a financial institution, the ownership portion of this section should reflect the name and type of the organization (if the owner is not a person). Types of organizations might include financial institution (bank, savings and loan, or credit union), financial institution or holding company subsidiary, bank service corporation, private corporation, joint venture, facilities management (specify contracting financial institution), partnership, etc.

FINANCIAL DATA (REQUIRED FOR ALL TECHNOLOGY SERVICE PROVIDERS)
Examiners should complete this page for all TSPs that are not financial institutions. At a minimum, examiners should include data for the last three fiscal years.

Examiners should request and analyze audited financial statements. If they are not available, unaudited statements will be acceptable. Examiners should clearly note if the statements analyzed are audited or unaudited. Examiners should reflect any interim financial statements they obtain on a separate page, footnoted to indicate that they are interim statements, and inserted behind the year-end statements. Examiners should note in their analysis any regulatory information (i.e., shared national credit rating) or industry information (i.e., Standard & Poor’s, Moody’s, or Moody’s KMV) that is available.

Examiners should summarize any significant financial statement footnotes on a blank insert page at the end of the financial data.
If the servicer is part of a regulated financial organization, the examiner should use existing regulatory financial and analytical information (CAMELS rating, BOPEC rating, etc.) in the review and analysis of the parent company.

Examiners should request and analyze consolidated and company financial statements of TSPs that are a subsidiary of a nonbank holding company or other nonfinancial corporation. Consolidated statements should be detailed on separate pages, footnoted to indicate they are consolidated statements, and inserted after the company year-end and interim statement.

ADDITIONAL INFORMATION (OPTIONAL)
Examiners may use this page to address specific requirements of the various regulatory agencies. Information included would be items such as the location of work papers.