Vendor Risk, The TSP Booklet, and the ROE
When you perform due diligence on technology service providers, do you ask them if they are in the FFIEC Examination Program? If not, you are missing an important third-party assurance opportunity. How many times have you wondered whether the SSAE-16 SOC1/SOC2 reports are really doing the job? Have you ever wished you could see the results of your vendors’ Penetration Test reports?
What if you could find a way that will help you more effectively manage one of the greatest risk exposures in your bank: your vendors?
The FFIEC’s ROE: an Effective Due Diligence Tool!
If you haven’t already heard, the FFIEC issued a Halloween revision of the infamous “TSP Booklet,” more formally called the Supervision of Technology Service Providers Booklet. This article attempts to concisely describe the important points of the TSP Booklet.
The TSP Booklet stresses that a financial institution’s board of directors and management has the ultimate responsibility for ensuring outsourced activities are properly managed. Though the TSP Booklet pertains to procedures for auditing your vendors, and not you, we believe you should still have a familiarity with this process so that you understand the value of reviewing and questioning your vendors’ examination report, more formally called the ROE, or Report of Examination.
Technology Service Providers who have access to bank networks, or who possess (host) NPI owned by banks, are now being examined by the FFIEC. For example, as a Managed Security Service Provider, we at infotex are examined every two years. These examinations are usually inter-agency examinations, meaning that representatives from several agencies are involved in the examination. The examinations cover four categories: 1) Audit, 2) Management, 3) Development and Acquisition, and 4) Support and Delivery. These are robust examinations: the examiners pour through policies and procedures, network designs, penetration test reports, social engineering reports, awareness training documentation, etc. They interview employees to assure enforcement. You can’t fake your way through one of these examinations!
The TSP Booklet is a guidance for examiners and financial institutions on the supervision of technology service providers, including examiners’ authority to supervise third-party servicers that enter into contractual arrangements with regulated financial institutions. Thus the booklet is the framework used for TSP examinations. It supplements the IT Handbook that examiners use as the framework for auditing banks, which is ultimately the framework for the audit. However, the IT Handbook does not always apply to TSP’s. (For example, the IT Handbook addresses risk in propriety bank systems, products, and services that most TSPs do not offer.)
Additionally, the TSP Booklet outlines a Risk Based – Examination Priority Ranking Program and includes an appendix describing the Uniform Rating System for Information Technology (URSIT), which the agencies also use for financial institutions. Though we believe an extremely important part of a bank’s vendor due diligence program should be to order your Technology Service Provider’s “Report of Examination (ROE),” which will highlight improvement areas and areas of risk, the report does NOT include component or composite ratings, and thus we do not see the need for bankers to understand the URSIT ratings from a vendor due diligence perspective. Still, since these ratings also apply to your own examinations, you may find this part of the TSP booklet to be interesting and provide insight on how your own examination ratings are determined.
To us, the most important section of this booklet is the Risk-based Supervision section. This includes the identification and selection of TSPs warranting scrutiny as well as guidelines for the development of a risk-based supervisory strategy for these TSPs. This approach provides for examination coverage of selected TSPs, including core application processors, electronic funds transfer switches, Internet banking providers, item processors, managed security servicers, and data storage servicers. The examinations of TSPs focus on the following underlying risk issues that affect the client financial institutions or the institutions’ customers:
- Management of technology. The planning and oversight of technology resources and services, ensuring they support the strategic goals and objectives of the TSP and its serviced financial institutions.
- Integrity of data. The accuracy and reliability of automated information processes and associated management information systems.
- Confidentiality of information. The protection of information from intentional or inadvertent disclosure to unauthorized individuals.
- Availability of services. The resilience of the TSP, including effective disaster recovery, business continuity plans, and adherence to service-level agreements.
- Compliance. TSPs are expected to provide services to client financial institutions to help them comply with applicable laws, rules, regulations, and policies.
- Financial stability. The maintenance of sufficient capital and liquidity to support ongoing operations and the ability to generate profit to ensure future viability. Financial difficulties at the TSP can negatively affect the safe and sound operations of serviced financial institutions through deteriorating quality of service, reliability of service, or adequacy of controls.
As with examination of financial institutions, examiners involved in the TSP examination rely upon third party audits, internal testing, interviews of key management, and documentation in the form of policies and procedures as well as evidence demonstrating the existence of controls. Since TSPs are not going to share internal audits, penetration test results, social engineering test results, etc. with their customers, having the FFIEC go into their facility and review these results on your behalf makes an excellent assurance tool. Because of this, we believe the Report of Examination makes an excellent supplement to existing due diligence tools you use in your own vendor management process.