OCC Bulletin 2012-34| October 31, 2012
Supervision of Technology Service Providers: FFIEC IT Examination Handbook Booklet Revision and Administrative Guidelines for Interagency Supervisory Programs
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties
The Federal Financial Institutions Examination Council (FFIEC)1 today issued a revised “Supervision of Technology Service Providers” booklet (TSP booklet), which is one of the booklets in the FFIEC Information Technology Examination Handbook (IT Handbook). Concurrently, the Board of Governors of the Federal Reserve System (FRS), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued new “Administrative Guidelines - Implementation of Interagency Programs for the Supervision of Technology Service Providers” (Guidelines).
The TSP booklet replaces the version issued in March 2003 and rescinds Supervisory Policy 1 (Examining Circular 261), “Interagency EDP Examination, Scheduling, and Distribution Policy,” September 1991 (Revised), and Supervisory Policy 11 (OCC Bulletin 1995-5), “Enhanced Supervision Program for Multidistrict Data Processing Servicers (MDPS),” January 1995.2
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, agencies) have statutory authority to supervise third-party servicers that enter into contractual arrangements with regulated financial institutions.3 The revised TSP booklet addresses this authority, outlines the agencies’ risk-based supervisory program, and includes an appendix with the Uniform Rating System for Information Technology, which the agencies use to assess regulated financial institutions and their Technology Service Providers (TSP).
A financial institution’s use of a TSP to provide needed products and services does not diminish, but rather often makes more critical, the responsibility of the institution’s board of directors and management to ensure that the activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.
While examinations of TSPs generally focus on underlying IT risk, the risk assessment process also considers business-line risk rankings to ensure that all covered services are effectively included. The agencies expect financial institutions to have in place a comprehensive, enterprise-wide risk management process that addresses vendor management for relationships with TSPs. The risk management process should include risk assessments and due diligence for the selection of TSPs, contract development, and ongoing monitoring of all TSPs’ performance.4 Outsourced activities are subject to the same risk management, security, privacy, and other internal controls and policies that a financial institution would follow if it were to perform the activities in-house.
The agencies conduct IT-related examinations of financial institutions and their TSPs based on the guidelines contained in the IT Handbook. The IT Handbook comprises several booklets that address governance of risks expected of financial institutions and their TSPs as well as detailed examination procedures: “Audit,” “Business Continuity Planning,” “Development and Acquisition,” “Electronic Banking,” “Information Security,” “Management,” “Operations,” “Outsourcing Technology Services,” “Retail Payment Systems,” “Supervision of Technology Service Providers,” and “Wholesale Payment Systems.” Managers of financial institutions and TSPs should be aware of the guidance described in the IT Handbook.
Although closely related to the TSP booklet, the Guidelines are not part of the IT Handbook. The Guidelines document is new and describes the process the agencies follow to implement the interagency supervisory programs.5 The Guidelines include the reporting templates that examiners use throughout the supervisory cycle of a TSP. The primary audience for these Guidelines is the agencies’ management and field examiners. The agencies will revise the Guidelines as needed.
As indicated in the attached FFIEC news release, electronic versions of the IT Handbook and the Guidelines are available at http://ithandbook.ffiec.gov/.
Questions regarding these documents should be directed to the OCC Bank Information Technology Division at (202) 649-6340.
Carolyn G. DuChene
Deputy Comptroller for Operational Risk
1 The FFIEC members include the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the State Liaison Committee, and the Consumer Financial Protection Bureau.
4 Additional information on appropriate due diligence and oversight of outsourced technology services and third-party relationships can be found in the “Outsourcing Technology Services” booklet of the IT Handbook.