About Us | Contact Us
View Cart

Vendor Risk, The TSP Booklet, and the ROE

By Dan Hadaway | Friday, November 2, 2012 - One Comment

When you perform due diligence on technology service providers, do you ask them if they are in the FFIEC Examination Program?  If not, you are missing an important third-party assurance opportunity.  How many times have you wondered whether the SSAE-16 SOC1/SOC2 reports are really doing the job?  Have you ever wished you could see the results of your vendors’ Penetration Test reports?

What if you could find a way that will help you more effectively manage one of the greatest risk exposures in your bank:  your vendors?

The FFIEC’s ROE: an Effective Due Diligence Tool!

If you haven’t already heard, the FFIEC issued a Halloween revision of the infamous “TSP Booklet,” more formally called the Supervision of Technology Service Providers Booklet.  This article attempts to concisely describe the important points of the TSP Booklet.

The TSP Booklet stresses that a financial institution’s board of directors and management has the ultimate responsibility for ensuring outsourced activities are properly managed.  Though the TSP Booklet pertains to procedures for auditing your vendors, and not you, we believe you should still have a familiarity with this process so that you understand the value of reviewing and questioning your vendors’ examination report, more formally called the ROE, or Report of Examination.

Technology Service Providers who have access to bank networks, or who possess (host) NPI owned by banks, are now being examined by the FFIEC.  For example, as a Managed Security Service Provider, we at infotex are examined every two years.  These examinations are usually inter-agency examinations, meaning that representatives from several agencies are involved in the examination.  The examinations cover four categories:  1) Audit, 2) Management, 3) Development and Acquisition, and 4) Support and Delivery.  These are robust examinations:  the examiners pour through policies and procedures, network designs, penetration test reports, social engineering reports, awareness training documentation, etc.  They interview employees to assure enforcement.  You can’t fake your way through one of these examinations!

The TSP Booklet is a guidance for examiners and financial institutions on the supervision of technology service providers, including examiners’ authority to supervise third-party servicers that enter into contractual arrangements with regulated financial institutions.  Thus the booklet is the framework used for TSP examinations.  It supplements the IT Handbook that examiners use as the framework for auditing banks, which is ultimately the framework for the audit.  However, the IT Handbook does not always apply to TSP’s.  (For example, the IT Handbook addresses risk in propriety bank systems, products, and services that most TSPs do not offer.)

Additionally, the TSP Booklet outlines a Risk Based – Examination Priority Ranking Program and includes an appendix describing the Uniform Rating System for Information Technology (URSIT), which the agencies also use for financial institutions.  Though we believe an extremely important part of a bank’s vendor due diligence program should be to order your Technology Service Provider’s “Report of Examination (ROE),” which will highlight improvement areas and areas of risk, the report does NOT include component or composite ratings, and thus we do not see the need for bankers to understand the URSIT ratings from a vendor due diligence perspective.  Still, since these ratings also apply to your own examinations, you may find this part of the TSP booklet to be interesting and provide insight on how your own examination ratings are determined.

To us, the most important section of this booklet is the Risk-based Supervision section.  This includes the identification and selection of TSPs warranting scrutiny as well as guidelines for the development of a risk-based supervisory strategy for these TSPs.  This approach provides for examination coverage of selected TSPs, including core application processors, electronic funds transfer switches, Internet banking providers, item processors, managed security servicers, and data storage servicers.  The examinations of TSPs focus on the following underlying risk issues that affect the client financial institutions or the institutions’ customers:

  • Management of technology. The planning and oversight of technology resources and services, ensuring they support the strategic goals and objectives of the TSP and its serviced financial institutions.
  • Integrity of data. The accuracy and reliability of automated information processes and associated management information systems.
  • Confidentiality of information. The protection of information from intentional or inadvertent disclosure to unauthorized individuals.
  • Availability of services. The resilience of the TSP, including effective disaster recovery, business continuity plans, and adherence to service-level agreements.
  • Compliance. TSPs are expected to provide services to client financial institutions to help them comply with applicable laws, rules, regulations, and policies.
  • Financial stability. The maintenance of sufficient capital and liquidity to support ongoing operations and the ability to generate profit to ensure future viability. Financial difficulties at the TSP can negatively affect the safe and sound operations of serviced financial institutions through deteriorating quality of service, reliability of service, or adequacy of controls.

As with examination of financial institutions, examiners involved in the TSP examination rely upon third party audits, internal testing, interviews of key management, and documentation in the form of policies and procedures as well as evidence demonstrating the existence of controls.  Since TSPs are not going to share internal audits, penetration test results, social engineering test results, etc. with their customers, having the FFIEC go into their facility and review these results on your behalf makes an excellent assurance tool.   Because of this, we believe the Report of Examination makes an excellent supplement to existing due diligence tools you use in your own vendor management process.

One Response to “Vendor Risk, The TSP Booklet, and the ROE”

Comment from Network Support Dallas
Time 12/18/2018 at 11:21 pm

I just want to say I am newbie to weblog and really loved this website. Almost certainly I’m want to bookmark your blog post . You actually come with remarkable writings. Appreciate it for sharing your website.

Network Support Dallas

Latest News
    A new study highlights the benefits of looking at your network from the other side… An article review. If you were trying to attack your organization’s network, how would you start?  That’s a question you may not have asked yourself, but experts say it’s something that can help you strengthen your security.  That’s according to […]
    Google Ads, Gitlab and OneDrive have been used to distribute the BATLOADER malware… An article review. We’ve always believed that “watch where you click” has always been good advice when it comes to security online, however Microsoft is tracking the spread of malware that has been using legitimate websites to help facilitate its spread, counting […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    Thanks for being interested in our Technology Planning Webinars! The 2022 annual webinar update on technology planning includes a review of the previous years’ movies that are available, as well as alternative tactics that have arisen from recent conferences, forums, and industry experience. Feel free to invite your entire technology committee! Click the Button to […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    Microsoft, Cisco and Uber are among the companies hit by this new threat… An article review.  As more organizations adopt multi-factor authentication to help safeguard their systems hackers have adapted, and several major corporations have been among those hit by this new style of attack.  This new technique, called MFA Fatigue or Push Spamming, involves […]
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]