Banking & Finance Law Report

Tag Archives: FFIEC

Financial Regulators Release Guidance Regarding Technology Service Providers

Financial institution executives with responsibility for the management of the technology of their financial institutions or their institution’s relationship with technology service providers (TSPs) should become familiar with the updated guidance regarding supervision of TSPs by financial institutions that was issued on October 31, 2012 by various federal banking regulatory agencies.  The issuance updates material that is nearly ten years old.

The Federal Financial Institutions Examination Council (FFIEC) released a revised Supervision of Technology Service Providers booklet (TSP Booklet), part of the FFIEC Information Technology Examination Handboot (IT Handbook).  The FFIEC exists to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions.  The TSP Booklet describes federal financial institution regulatory agencies’ statutory authority to supervise TSPs that contract with federally regulated financial institutions and provides guidance for these institutions and their examiners.  The TSP Booklet, which replaces and rescinds a March 2003 booklet, emphasizes that the ultimate responsibility for the conduct of third-party service providers and their compliance with applicable law and regulation lies with a financial institution’s management and board of directors.

The TSP Booklet describes the federal Risk Based-Examination Priority Ranking Program (RB-EPRP) and the Uniform Rating System for Information Technology (URSIT) used in evaluating TSPs of financial institutions. … Continue Reading

FFIEC Statement on Outsourced Cloud Computing

Financial institutions should apply the same risk management strategies and considerations to outsourced "cloud computing" activities as are required with more traditional forms of outsourcing, according to a statement issued July 10th by the Federal Financial Institution Examination Counsel (FFIEC).

The FFIEC’s statement explains that while there is no universal definition of "cloud computing," it generally involves a migration from owned resources to shared resources, through which a user can access and receive information technology services on demand from third-parties via the online "cloud." Cloud computing can be used to provide infrastructure, computing platforms, and software, and a cloud may be operated privately by one organization, as a community cloud shared by several organizations, as a public cloud available to any paying customer, or as a hybrid combination of two or more private, community or public clouds.

Although a financial institution’s use of outsourced cloud computing can have many potential benefits, such as cost reduction, flexibility and speed, the FFIEC statement indicates that the fundamentals of risk and risk management defined in the FFIEC Information Technology Examination Handbook (IT Handbook), particularly the Outsourcing Technology Services Booklet (Outsourcing Booklet), are as applicable to cloud computing as to other forms of … Continue Reading

LexBlog