Financial institution executives with responsibility for the management of the technology of their financial institutions or their institution’s relationship with technology service providers (TSPs) should become familiar with the updated guidance regarding supervision of TSPs by financial institutions that was issued on October 31, 2012 by various federal banking regulatory agencies. The issuance updates material that is nearly ten years old.
The Federal Financial Institutions Examination Council (FFIEC) released a revised Supervision of Technology Service Providers booklet (TSP Booklet), part of the FFIEC Information Technology Examination Handboot (IT Handbook). The FFIEC exists to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions. The TSP Booklet describes federal financial institution regulatory agencies’ statutory authority to supervise TSPs that contract with federally regulated financial institutions and provides guidance for these institutions and their examiners. The TSP Booklet, which replaces and rescinds a March 2003 booklet, emphasizes that the ultimate responsibility for the conduct of third-party service providers and their compliance with applicable law and regulation lies with a financial institution’s management and board of directors.
The TSP Booklet describes the federal Risk Based-Examination Priority Ranking Program (RB-EPRP) and the Uniform Rating System for Information Technology (URSIT) used in evaluating TSPs of financial institutions. The RB-EPRP utilizes a risk-based approach to determine the examination priority of TSPs, while the URSIT is used to consistently assess and rate IT-related risks of financial institutions and their TSPs.
Concurrently with the TSP Booklet, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance …