Federal Financial Institutions Examination Council
EDP Interagency Examination, Scheduling and Distribution Policy

Purpose

This policy provides for joint examinations of data centers providing
services to insured institutions supervised by more than one federal
regulatory agency. It is expected to eliminate the need for separate
examinations of data processors by more than one federal financial
institution regulator and to result in more efficient use of examiner
resources. This policy supercedes the previously issued interagency EDP
examination policy, including the Multiregional Data Processing Servicers
policy.

I. Examination Responsibility

Examination responsibility is determined based on the class/type of
servicer as well as the class/type of insured financial institution(s)
being serviced.

A. Insured Institutions

Data centers operated by an insured financial institution or its
subsidiary will be examined by the federal regulatory agency responsible
for the institution.

B. Financial Institution Holding Companies

Data centers operated by a holding company or its affiliate which service
only one class of insured financial institution will be examined by the
federal regulatory agency responsible for that class of institution.

Data centers operated by a holding company or its affiliate which service
more than one class of insured financial institution will be examined
jointly, or on a rotated basis, as agreed to by the federal regulatory
agencies responsible for that class of institution.

Data centers operated by a holding company which controls only one insured
financial institution, or its affiliate, will be examined by the federal
regulatory agency responsible for the institution.

C. Independent Data Centers

Responsibility for the examination of independent data centers will be
based on the class of insured financial institution being serviced. If
more than one class of insured institution is serviced, the examination
will be conducted jointly, or on a rotated basis, as agreed to by the
federal regulatory agencies responsible for that class of institution.

D.  Financial Institution Service Corporation

Responsibility for the examination of service corporations will be based
on the class of insured financial institution being serviced.

E. Multiregional Data Processing Servicers (MDPS)

MDPS examinations are to be conducted on a joint basis by the federal
agencies having responsibility for the class of institution serviced. MDPS
examinations will be administered by the FFIEC EDP Subcommittee of the
Task Force on Supervision in Washington, D.C. The EDP subcommittee will
determine the data centers subject to examination under the MDPS program.
Generally, an organization will be considered for examination under the
MDPS program provided: the organization processes major applications for a
large number of insured financial institutions, thereby posing a high
degree of systemic risk; or the organization processes work from a number
of data centers located in diverse geographic regions.

No federal regulatory agency is precluded from conducting an independent
examination of any data center that is providing data processing services
to an insured financial institution for which the agency is responsible or
where an agency has regulatory responsibility for holding company data
centers.

II. Scheduling

Scheduling of joint/rotated EDP examinations and issuance of the EDP
Report of Examination will be handled at the regional/district level.
However, the examination of data centers under the MDPS program will be
administered at the national level. A list of regions and contact
personnel will be forwarded under separate cover and will be revised as
appropriate.

A. Joint and Rotated Examinations

Regional/district representatives should meet annually (as early in the
scheduling cycle as possible, but no later than December 1) to arrange for
upcoming examinations and ensure that all data centers are examined in
accordance with existing agency guidelines. As regional/district
boundaries vary, it may be necessary for an agency to send representatives
from more than one regional/district office to attend the scheduling
meeting. Conversely, a representative may be required to attend more than
one meeting. State agencies interested in participating in joint
examinations may be invited to these meetings as deemed appropriate.

The meeting should identify all data centers, except for MDPS.
Examinations of these data centers are to be conducted jointly and
examination schedules agreed upon by participating agencies. If an agency
cannot complete its schedule as agreed, it shall promptly notify the
appropriate agencies so that alternative arrangements can be made.

When joint examinations cannot be scheduled, one agency will be designated
to perform the examination on behalf of all concerned agencies. In these
situations, examination responsibilities will be rotated for two-year
periods. However, when the data center's overall condition is determined
to be less than satisfactory, subsequent examinations should be conducted
on a joint basis until the data center's overall condition is satisfactory
as defined in the EDP Examination Handbook policy statement SP-2: Uniform
Interagency Rating System For Data Processing Operations.

The regional examination schedule should establish: the data centers to be
examined; the date, time and agency responsible for any rotated or joint
examinations; and the agency responsible for authoring and processing the
examination report.

B. Multiregional Data Processing Servicers

Scheduling of MDPS examinations will be the responsibility of the FFIEC
EDP Subcommittee of the Task Force on Supervision. By September 30 of each
year, the EDP Subcommittee will prepare and publish an annual schedule for
MDPS examinations designating the data center, the date of examination and
the lead agency. This schedule will be distributed by the EDP Subcommittee
agency representatives to their regional/district offices as soon as
practical. An agency will be in charge of no more than two consecutive
MDPS examinations.

Institutions with a composite rating of 1 or 2 will be subject to a full
examination on a 24 month examination cycle, 3 rated institutions should
be examined at an 18 month cycle and those institutions rated 4 or 5 at a
12 month cycle. The ongoing condition of MDPS should be monitored between
examinations through periodic visitations and progress reports, as
appropriate.

The lead agency is responsible for conducting a pre-examination review to
determine: the scope of the examination, resource requirements, schedule
of events and procedures to be followed during the course of the
examination. At minimum this pre- examination report should provide
details on the organization's: corporate history, corporate and
organizational structure, scope of the upcoming examination, data centers
included in the examination and examiner requirements. The pre-
examination report should be forwarded to the Washington, D.C. office of
the lead agency at least 60 days prior to the commencement of the MDPS
examination.

Examinations of individual data centers or processing sites may commence
prior to the start of the headquarters examination if more than one
facility is involved. However, these time frames must be approved by the
lead agency.

III. Report Preparation

A. Joint Examinations

Responsibilities will be divided among the EDP examiners assigned to the
examination. When preparing joint examination reports, the participating
agencies are required to reach agreement on the report comments. In rare
instances when agreement cannot be reached at the regional level, the
differences should be appealed to the Washington office of the
participating agencies for final resolution.

The processing of the final Report of Examination (FFIEC 007) is the
responsibility of the authoring agency. All changes made to the joint
report in the course of its processing should be approved by the regional
staffs of the agencies participating in the examination.

B. MDPS Examinations

Only one consolidated Report of Examination will be prepared by the lead
agency. The objective is to give the overall view of the organization, not
each individual data center comprising the Multiregional Data Processing
Servicer. However, the relative strength of each facility should be
evaluated. In some instances it may be necessary to issue a specific data
center report, although such action would be taken at the discretion of
the EIC and the lead agency's Washington office.

IV. Report Distribution Policies and Procedures

A. Joint Examinations

The lead agency is responsible for providing each affected federal and
state banking agency with a copy of the completed report, including the
Administrative Section. (A complete list of all serviced financial
institutions, by charter, should be included in this section as well.)
Each agency is responsible for reproducing the report comments and
distributing them to serviced institutions in accordance with the
provisions below. A transmittal letter will be used to advise each
recipient that the comments are for their internal use only, are not to be
construed to satisfy audit requirements and remain the confidential
property of the lead agency. A written receipt will be obtained from each
recipient.

In all instances, examination reports should be distributed to the board
of directors of the examined data center. Where the data center is a
subsidiary of a holding company, the report should be forwarded to the
board of directors of the data center, where applicable, or otherwise
senior management of the data center and to the board of directors of the
holding company. In the case of a service corporation, a copy should be
forwarded to the corporation's board of directors as well as to the board
of directors of each financial institution owning stock in the
corporation.

Independent Service Bureau reports should be directed to the board of
directors or senior management of the servicer. If the independent service
bureau is a branch of a multi-branch servicing organization, an additional
copy should be forwarded to the board of directors at the corporate
headquarters.

Distribution of examination reports to serviced institutions for joint
examinations will be at the discretion of the federal regulatory agency
responsible for regulating the institution serviced, except for data
centers rated composite 4 or 5, which must be distributed to all insured
serviced institutions. Where an examination report is to be distributed by
a participating agency, the lead agency must be so notified prior to
transmitting the examination report. When an examination report is
requested by a serviced financial institution, only the examiner's
conclusions, recommendations and comments are to be transmitted to the
serviced institutions. Matters of a proprietary or competitive nature
relating to the servicer will be excluded from the report comments
prepared for distribution to serviced institutions, but will be contained
in the report provided to the servicer and the other federal agencies. In
cases where the servicer fails to respond to corrective action requests,
it may be necessary to report the uncorrected deficiencies to the serviced
institutions. In these situations, the regulatory agencies of all serviced
institutions must be in agreement regarding the need for this course of
action and must meet with the servicer to convey this intent.

The FFIEC interagency procedures do not affect existing distribution
agreements with state agencies. However, no state agency shall distribute
examination reports to any serviced institution without the express
consent of the lead agency. Only the agency conducting the examination
will provide nonparticipating state authorities copies of the report. In
the case of joint examinations, participation by state agencies and report
distribution to those state agencies will be decided on an individual
basis at the district/regional level by the participating federal
agencies.

B. MDPS Examinations

The consolidated report of examination should be sent to the Washington
office of the lead agency and to the board of directors of the data
servicer. The lead agency's Washington office is to provide a copy of the
report to the other FFIEC EDP Subcommittee members for distribution to the
respective agency regional/district offices. The agency in charge is
responsible for sending a copy of the report to the appropriate state
supervisory agencies. Excluding the provisions noted above, distribution
of MDPS reports should otherwise be in accordance with the provisions
governing the distribution of joint interagency examinations.