Financial institution executives with responsibility for the management of the technology of their financial institutions or their institution’s relationship with technology service providers (TSPs) should become familiar with the updated guidance regarding supervision of TSPs by financial institutions that was issued on October 31, 2012 by various federal banking regulatory agencies.  The issuance updates material that is nearly ten years old.

The Federal Financial Institutions Examination Council (FFIEC) released a revised Supervision of Technology Service Providers booklet (TSP Booklet), part of the FFIEC Information Technology Examination Handboot (IT Handbook).  The FFIEC exists to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions.  The TSP Booklet describes federal financial institution regulatory agencies’ statutory authority to supervise TSPs that contract with federally regulated financial institutions and provides guidance for these institutions and their examiners.  The TSP Booklet, which replaces and rescinds a March 2003 booklet, emphasizes that the ultimate responsibility for the conduct of third-party service providers and their compliance with applicable law and regulation lies with a financial institution’s management and board of directors.

The TSP Booklet describes the federal Risk Based-Examination Priority Ranking Program (RB-EPRP) and the Uniform Rating System for Information Technology (URSIT) used in evaluating TSPs of financial institutions. The RB-EPRP utilizes a risk-based approach to determine the examination priority of TSPs, while the URSIT is used to consistently assess and rate IT-related risks of financial institutions and their TSPs.

Concurrently with the TSP Booklet, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency jointly released, Administrative Guidelines for the Implementation of the Interagency Program for the Supervision of Technology Service Providers (Guidelines), detailing the processes federal agencies follow to implement interagency supervisory programs and including reporting templates for examiners to use in their supervision. While the TSP Booklet provides useful guidance to financial institutions, the Guidelines are more tailored to agency managers and field examiners.

Financial institutions and TSPs must be cognizant of the risks, laws, regulations and agency guidance implicated in the outsourcing of technology services by financial institutions to third-party TSPs. Furthermore, financial institution technology outsourcing arrangements should be carefully set forth in written contracts and thoroughly reviewed by qualified legal counsel.