The Federal Financial Institutions Examination Council (“FFIEC”) has issued an updated Supervision of Technology Service Providers Booklet that provides guidance to examiners, financial institutions, and technology service providers on the supervision of technology service providers. The revised booklet released on October 31 is part of the FFIEC Information Technology Examination Handbook. Concurrently, the federal banking agencies issued related guidance entitled Administrative Guidelines - Implementation of Interagency Programs for the Supervision of Technology Service Providers. The booklet addresses the federal banking agencies’ statutory authority to supervise third-party service providers that enter into contractual arrangements with regulated financial institutions. The booklet outlines the agencies’ risk-based supervisory program and emphasizes that a financial institution’s management and board of directors have the ultimate responsibility for ensuring that outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations. The guidelines describe the process that the agencies follow to implement the interagency supervisory programs and include the reporting templates examiners use.
Nutter Notes: Federal bank examiners are required to follow the Risk Based-Examination Priority Ranking Program to determine overall levels of risk that technology service providers present to their client financial institutions, and to prioritize and establish the frequency of technology service provider examinations. One of the supervisory goals of technology service provider examination is to communicate findings, recommendations, and corrective actions to the client financial institutions. Federal examiners also are required to use the Uniform Rating System for Information Technology to evaluate a financial institution’s or a technology service provider’s overall risk exposure and risk management performance and to determine the degree of supervisory attention necessary to ensure that weaknesses are addressed and risks are properly managed. The revised booklet includes an appendix describing the rating system. The FFIEC also discusses managing outsourced relationships in its Outsourcing Technology Services Booklet, which has also been updated. The Outsourcing Technology Services Booklet details engagement criteria and examination procedures a financial institution should use when outsourcing information security management to a third-party service provider.