Welcome » IT Booklets » Information Security » Security Controls Implementation » Service Provider Oversight
Financial institutions should exercise their security
responsibilities for outsourced operations through
Many financial institutions outsource some aspect of their
operations. Although outsourcing arrangements often provide a
cost-effective means to support the institution's technology needs,
the ultimate responsibility and risk rests with the institution.
Financial institutions are required under the 501(b) guidelines to
ensure service providers have implemented adequate security
controls to safeguard customer information. The guidelines require
In addition to the privacy requirements, financial institutions
should implement the above-mentioned precautions in all TSP
relationships, based on the level of access to systems or data for
safety and soundness reasons.
Financial institutions should evaluate the following security
considerations when selecting a service provider:
Financial institutions should ensure TSPs implement and
maintain controls sufficient to appropriately mitigate risks.
In higher-risk relationships, the institution's contract may
prescribe minimum control and reporting standards, ensure the right
to require changes to standards as external and internal
environments change, and obtain access to the TSP for institution
or independent third-party evaluations of the TSP's performance
against the standard. In lower-risk relationships, the
institution may prescribe the use of standardized reports, such as
an AICPA Statement on Standards for Attestation
See the Third-Party Reviews of Technology Service
Providers section of the IT Audit Booklet of the FFIEC IT
Examination Handbook for more detailed information on this
For example, AICPA's SSAE-16 Type I and Type II, SOC 2
Type I and Type II, SOC 3 (Web Trust).