Vendor Risk, The TSP Booklet, and the ROE

By Dan Hadaway | Friday, November 2, 2012 - One Comment

When you perform due diligence on technology service providers, do you ask them if they are in the FFIEC Examination Program? If not, you are missing an important third-party assurance opportunity. How many times have you wondered whether the SSAE-16 SOC1/SOC2 reports are really doing the job? Have you ever wished you could see the results of your vendors’ Penetration Test reports?

What if you could find a way that will help you more effectively manage one of the greatest risk exposures in your bank: your vendors?

The FFIEC’s ROE: an Effective Due Diligence Tool!

If you haven’t already heard, the FFIEC issued a Halloween revision of the infamous “TSP Booklet,” more formally called the Supervision of Technology Service Providers Booklet. This article attempts to concisely describe the important points of the TSP Booklet.

The TSP Booklet stresses that a financial institution’s board of directors and management has the ultimate responsibility for ensuring outsourced activities are properly managed. Though the TSP Booklet pertains to procedures for auditing your vendors, and not you, we believe you should still have a familiarity with this process so that you understand the value of reviewing and questioning your vendors’ examination report, more formally called the ROE, or Report of Examination.

Technology Service Providers who have access to bank networks, or who possess (host) NPI owned by banks, are now being examined by the FFIEC. For example, as a Managed Security Service Provider, we at infotex are examined every two years. These examinations are usually inter-agency examinations, meaning that representatives from several agencies are involved in the examination. The examinations cover four categories: 1) Audit, 2) Management, 3) Development and Acquisition, and 4) Support and Delivery. These are robust examinations: the examiners pour through policies and procedures, network designs, penetration test reports, social engineering reports, awareness training documentation, etc. They interview employees to assure enforcement. You can’t fake your way through one of these examinations!

The TSP Booklet is a guidance for examiners and financial institutions on the supervision of technology service providers, including examiners’ authority to supervise third-party servicers that enter into contractual arrangements with regulated financial institutions. Thus the booklet is the framework used for TSP examinations. It supplements the IT Handbook that examiners use as the framework for auditing banks, which is ultimately the framework for the audit. However, the IT Handbook does not always apply to TSP’s. (For example, the IT Handbook addresses risk in propriety bank systems, products, and services that most TSPs do not offer.)

Additionally, the TSP Booklet outlines a Risk Based – Examination Priority Ranking Program and includes an appendix describing the Uniform Rating System for Information Technology (URSIT), which the agencies also use for financial institutions. Though we believe an extremely important part of a bank’s vendor due diligence program should be to order your Technology Service Provider’s “Report of Examination (ROE),” which will highlight improvement areas and areas of risk, the report does NOT include component or composite ratings, and thus we do not see the need for bankers to understand the URSIT ratings from a vendor due diligence perspective. Still, since these ratings also apply to your own examinations, you may find this part of the TSP booklet to be interesting and provide insight on how your own examination ratings are determined.

To us, the most important section of this booklet is the Risk-based Supervision section. This includes the identification and selection of TSPs warranting scrutiny as well as guidelines for the development of a risk-based supervisory strategy for these TSPs. This approach provides for examination coverage of selected TSPs, including core application processors, electronic funds transfer switches, Internet banking providers, item processors, managed security servicers, and data storage servicers. The examinations of TSPs focus on the following underlying risk issues that affect the client financial institutions or the institutions’ customers:

Management of technology. The planning and oversight of technology resources and services, ensuring they support the strategic goals and objectives of the TSP and its serviced financial institutions.
Integrity of data. The accuracy and reliability of automated information processes and associated management information systems.
Confidentiality of information. The protection of information from intentional or inadvertent disclosure to unauthorized individuals.
Availability of services. The resilience of the TSP, including effective disaster recovery, business continuity plans, and adherence to service-level agreements.
Compliance. TSPs are expected to provide services to client financial institutions to help them comply with applicable laws, rules, regulations, and policies.
Financial stability. The maintenance of sufficient capital and liquidity to support ongoing operations and the ability to generate profit to ensure future viability. Financial difficulties at the TSP can negatively affect the safe and sound operations of serviced financial institutions through deteriorating quality of service, reliability of service, or adequacy of controls.

As with examination of financial institutions, examiners involved in the TSP examination rely upon third party audits, internal testing, interviews of key management, and documentation in the form of policies and procedures as well as evidence demonstrating the existence of controls. Since TSPs are not going to share internal audits, penetration test results, social engineering test results, etc. with their customers, having the FFIEC go into their facility and review these results on your behalf makes an excellent assurance tool. Because of this, we believe the Report of Examination makes an excellent supplement to existing due diligence tools you use in your own vendor management process.

Posted in Dan's New Leaf, Infotex News, Schools, Tools, Vendor Management

One Response to “Vendor Risk, The TSP Booklet, and the ROE”

Comment from Network Support Dallas
Time 12/18/2018 at 11:21 pm

I just want to say I am newbie to weblog and really loved this website. Almost certainly I’m want to bookmark your blog post . You actually come with remarkable writings. Appreciate it for sharing your website.

Network Support Dallas

Latest News

Another New Leaf

1 April 2023

from Dan’s New Role . . . And note the date! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Once again, I am turning over a new leaf. Those who have not been following this blog for its full fourteen-year history might not realize […]

R7-2023

21 March 2023

Top Seven Risks . . . that small bank Information Security Officers face in 2023! When we present audit reports to boards of directors, we also talk to the board about the top risks the institution is facing. Since 2006, we have been compiling a list of the “top seven risks small institutions are facing,” in […]

“Layers” Awareness Poster

15 March 2023

Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]

Biden Administration Unveils New Cybersecurity Strategy

13 March 2023

The new plan calls for technology providers, and not end users, to be responsible for security… An article review. Following multiple high profile cybersecurity incidents in 2021 and 2022 the Biden Administration recently announced new long-term goals for the nation’s cybersecurity, and under the new plan companies that provide technology would carry more of the […]

R7: 2023’s Top Seven Technology Risks Webinar Registration

7 March 2023

R7: 2023’s Top Seven Technology Risks Webinar-Video What are the top seven risks your board should know about in 2023? Since 2006, Dan has been compiling a list of the “top seven risks small institutions are facing,” in preparation for his board presentations. This webinar will present the 2023 list in a manner that you […]

Adam Reads: The “Project Management” Guidance Summary

6 March 2023

A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]

History (and Future) of the infotex Website

2 March 2023

Times they are a-changin’ . . . The infotex website is being updated. You read that right! We are in the process of updating our website from the circa 2013 version we have had for far too long. As the Digital Media Manager for infotex this excites me greatly and I look forward to the […]

ChatGPT & AI: The Good, The Bad, and The Evil

27 February 2023

A new Team member’s first article! In today’s news cycle, it is difficult to miss all the fuss about AI, or more specifically, ChatGPT. So many differing opinions on the matter can make it hard to decipher what the future looks like. Few people think AI is a gimmick, but not many know the possibilities […]

NIST Prepares Updates To Cybersecurity Framework

20 February 2023

A draft version of the new framework may be available as early as this summer… An article review. As the cybersecurity landscape is constantly evolving, the tools we use to address risk need to evolve as well–and by this summer we should be getting our first look at planned changes to the NIST cybersecurity framework. […]

“Pop-Up Awareness” Awareness Poster

15 February 2023

To the Blog