About Us | Contact Us
View Cart

Vendor Risk, The TSP Booklet, and the ROE

By Dan Hadaway | Friday, November 2, 2012 - One Comment

When you perform due diligence on technology service providers, do you ask them if they are in the FFIEC Examination Program?  If not, you are missing an important third-party assurance opportunity.  How many times have you wondered whether the SSAE-16 SOC1/SOC2 reports are really doing the job?  Have you ever wished you could see the results of your vendors’ Penetration Test reports?

What if you could find a way that will help you more effectively manage one of the greatest risk exposures in your bank:  your vendors?

The FFIEC’s ROE: an Effective Due Diligence Tool!

If you haven’t already heard, the FFIEC issued a Halloween revision of the infamous “TSP Booklet,” more formally called the Supervision of Technology Service Providers Booklet.  This article attempts to concisely describe the important points of the TSP Booklet.

The TSP Booklet stresses that a financial institution’s board of directors and management has the ultimate responsibility for ensuring outsourced activities are properly managed.  Though the TSP Booklet pertains to procedures for auditing your vendors, and not you, we believe you should still have a familiarity with this process so that you understand the value of reviewing and questioning your vendors’ examination report, more formally called the ROE, or Report of Examination.

Technology Service Providers who have access to bank networks, or who possess (host) NPI owned by banks, are now being examined by the FFIEC.  For example, as a Managed Security Service Provider, we at infotex are examined every two years.  These examinations are usually inter-agency examinations, meaning that representatives from several agencies are involved in the examination.  The examinations cover four categories:  1) Audit, 2) Management, 3) Development and Acquisition, and 4) Support and Delivery.  These are robust examinations:  the examiners pour through policies and procedures, network designs, penetration test reports, social engineering reports, awareness training documentation, etc.  They interview employees to assure enforcement.  You can’t fake your way through one of these examinations!

The TSP Booklet is a guidance for examiners and financial institutions on the supervision of technology service providers, including examiners’ authority to supervise third-party servicers that enter into contractual arrangements with regulated financial institutions.  Thus the booklet is the framework used for TSP examinations.  It supplements the IT Handbook that examiners use as the framework for auditing banks, which is ultimately the framework for the audit.  However, the IT Handbook does not always apply to TSP’s.  (For example, the IT Handbook addresses risk in propriety bank systems, products, and services that most TSPs do not offer.)

Additionally, the TSP Booklet outlines a Risk Based – Examination Priority Ranking Program and includes an appendix describing the Uniform Rating System for Information Technology (URSIT), which the agencies also use for financial institutions.  Though we believe an extremely important part of a bank’s vendor due diligence program should be to order your Technology Service Provider’s “Report of Examination (ROE),” which will highlight improvement areas and areas of risk, the report does NOT include component or composite ratings, and thus we do not see the need for bankers to understand the URSIT ratings from a vendor due diligence perspective.  Still, since these ratings also apply to your own examinations, you may find this part of the TSP booklet to be interesting and provide insight on how your own examination ratings are determined.

To us, the most important section of this booklet is the Risk-based Supervision section.  This includes the identification and selection of TSPs warranting scrutiny as well as guidelines for the development of a risk-based supervisory strategy for these TSPs.  This approach provides for examination coverage of selected TSPs, including core application processors, electronic funds transfer switches, Internet banking providers, item processors, managed security servicers, and data storage servicers.  The examinations of TSPs focus on the following underlying risk issues that affect the client financial institutions or the institutions’ customers:

  • Management of technology. The planning and oversight of technology resources and services, ensuring they support the strategic goals and objectives of the TSP and its serviced financial institutions.
  • Integrity of data. The accuracy and reliability of automated information processes and associated management information systems.
  • Confidentiality of information. The protection of information from intentional or inadvertent disclosure to unauthorized individuals.
  • Availability of services. The resilience of the TSP, including effective disaster recovery, business continuity plans, and adherence to service-level agreements.
  • Compliance. TSPs are expected to provide services to client financial institutions to help them comply with applicable laws, rules, regulations, and policies.
  • Financial stability. The maintenance of sufficient capital and liquidity to support ongoing operations and the ability to generate profit to ensure future viability. Financial difficulties at the TSP can negatively affect the safe and sound operations of serviced financial institutions through deteriorating quality of service, reliability of service, or adequacy of controls.

As with examination of financial institutions, examiners involved in the TSP examination rely upon third party audits, internal testing, interviews of key management, and documentation in the form of policies and procedures as well as evidence demonstrating the existence of controls.  Since TSPs are not going to share internal audits, penetration test results, social engineering test results, etc. with their customers, having the FFIEC go into their facility and review these results on your behalf makes an excellent assurance tool.   Because of this, we believe the Report of Examination makes an excellent supplement to existing due diligence tools you use in your own vendor management process.

One Response to “Vendor Risk, The TSP Booklet, and the ROE”

Comment from Network Support Dallas
Time 12/18/2018 at 11:21 pm

I just want to say I am newbie to weblog and really loved this website. Almost certainly I’m want to bookmark your blog post . You actually come with remarkable writings. Appreciate it for sharing your website.

Network Support Dallas

Latest News
    Today we present a special BONUS awareness poster for YOUR customers (and users).  This update to the April 2022 Awareness Poster takes some cues from the Dan’s New Leaf article: Why Local? Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the […]
    Awareness is 9/11’s of the battle, if we use it! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . One of my old college buddies hates banks.  He was turned down for a loan a long time ago and just can’t let go.  I actually […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]