Federal Banking Regulators Issue Guidance Regarding Supervision of Technology Service Providers
On October 31, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Supervision of Technology Service Providers Booklet (TSP Booklet). The revised TSP Booklet, which is part of the FFIEC Information Technology Examination Handbook, provides guidance for examiners and financial institutions on the supervision of technology service providers by describing the federal banking regulators’ statutory authority to supervise third-party service providers, outlining the regulators’ risk-based supervision program, and providing the Uniform Rating System for examinations. The TSP Booklet clarifies that outsourced activities should be subject to the same risk management, security, privacy, and other internal controls and compliance policies as if such functions were performed internally, and that a financial institution’s board of directors and management have the responsibility for ensuring that outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.
Concurrent with the release of the updated TSP Booklet, the Federal Reserve Board, the FDIC, and the OCC issued new Administrative Guidelines for the Implementation of Interagency Programs for the Supervision of Technology Service Providers. The Guidelines are separate from the FFIEC IT Examination Handbook and describe how the agencies implement their interagency supervisory programs. The Guidelines are primarily a resource for examiners and include the reporting templates used by examiners.