Tuesday, April 23, 2019

FFIEC issues revised “Supervision of Technology Service Providers” booklet

Posted by OnCourse Staff December 31, 1969 7:00pm

Photo Credit: adamr

Source: Office of the Comptroller of the Currency

 The Federal Financial Institutions Examination Council (FFIEC) issued a revised “Supervision of Technology Service Providers” booklet (TSP booklet), which is one of the booklets in the FFIEC Information Technology Examination Handbook (IT Handbook). Concurrently, the Board of Governors of the Federal Reserve System (FRS), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued new “Administrative Guidelines - Implementation of Interagency Programs for the Supervision of Technology Service Providers” (Guidelines).

The TSP booklet replaces the version issued in March 2003 and rescinds Supervisory Policy 1 (Examining Circular 261), “Interagency EDP Examination, Scheduling, and Distribution Policy,” September 1991 (Revised), and Supervisory Policy 11 (OCC Bulletin 1995-5), “Enhanced Supervision Program for Multidistrict Data Processing Servicers (MDPS),” January 1995.2

TSP Booklet

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, agencies) have statutory authority to supervise third-party servicers that enter into contractual arrangements with regulated financial institutions.3 The revised TSP booklet addresses this authority, outlines the agencies’ risk-based supervisory program, and includes an appendix with the Uniform Rating System for Information Technology, which the agencies use to assess regulated financial institutions and their Technology Service Providers (TSP).

A financial institution’s use of a TSP to provide needed products and services does not diminish, but rather often makes more critical, the responsibility of the institution’s board of directors and management to ensure that the activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.

While examinations of TSPs generally focus on underlying IT risk, the risk assessment process also considers business-line risk rankings to ensure that all covered services are effectively included. The agencies expect financial institutions to have in place a comprehensive, enterprise-wide risk management process that addresses vendor management for relationships with TSPs. The risk management process should include risk assessments and due diligence for the selection of TSPs, contract development, and ongoing monitoring of all TSPs’ performance.4 Outsourced activities are subject to the same risk management, security, privacy, and other internal controls and policies that a financial institution would follow if it were to perform the activities in-house.

The agencies conduct IT-related examinations of financial institutions and their TSPs based on the guidelines contained in the IT Handbook. The IT Handbook comprises several booklets that address governance of risks expected of financial institutions and their TSPs as well as detailed examination procedures: “Audit,” “Business Continuity Planning,” “Development and Acquisition,” “Electronic Banking,” “Information Security,” “Management,” “Operations,” “Outsourcing Technology Services,” “Retail Payment Systems,” “Supervision of Technology Service Providers,” and “Wholesale Payment Systems.” Managers of financial institutions and TSPs should be aware of the guidance described in the IT Handbook.


Although closely related to the TSP booklet, the Guidelines are not part of the IT Handbook. The Guidelines document is new and describes the process the agencies follow to implement the interagency supervisory programs.5 The Guidelines include the reporting templates that examiners use throughout the supervisory cycle of a TSP. The primary audience for these Guidelines is the agencies’ management and field examiners. The agencies will revise the Guidelines as needed.

As indicated in the attached FFIEC news release, electronic versions of the IT Handbook and the Guidelines are available at http://ithandbook.ffiec.gov/


Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.


OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment

OnCourse Staff's Posts Subscribe to RSS Feed

Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
Does your 401(k) Plan need an Audit?
Same Day ACH Credits – Phase One
Is the IRS Status of your Defined Benefit plan in Jeopardy?
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
The Importance of BSA Training
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Pandemic Preparedness: Are you testing your Pandemic Plan?
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Is Your Institution's Marketing UDAAP Compliant?
Electronic Work Papers - Why P&G Made the Switch
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
The Test Drive: Leasing or Buying a HR IT Platform
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Another One Bites the Dust: Regulators Close 4 Banks
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Law on Your Side: Understanding HR Regulations in 2011
No Respite from RESPA