The Board of Governors of the Federal Reserve System (FRS), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (each individually, Agency, and collectively, Agencies) have statutory authority to supervise third-party servicers that enter into contractual arrangements with their regulated financial institutions. 12 USC 1464(d)(7), 1867(c)(1). The Consumer Financial Protection Bureau (CFPB) has authority as described in 12 USC 5514(e), 5515(d), and 5516(e). See CFPB Bulletin 2012-03 (Apr. 13, 2012), available at http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf. The National Credit Union Administration (NCUA) does not have independent regulatory authority over TSPs. The Agencies coordinate the interagency programs to supervise third-party servicers through the Federal Financial Institutions Examination Council (FFIEC).
The "Supervision of Technology Service Providers" booklet (TSP Booklet), of the FFIEC The FFIEC was established on March 10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (FIRA), Public Law 95-630. The FFIEC members include the FRS, the FDIC, the NCUA, the OCC, the State Liaison Committee (SLC), and the CFPB. Information Technology Examination Handbook (IT Handbook), addresses this authority and rescinds the previous version dated March 2003. The TSP booklet outlines the Agencies' risk-based supervisory program and includes the examination ratings used for regulated financial institutions and their Technology Service Providers (TSP).The term TSP generally includes independent third parties, joint venture/limited liability corporations, and bank and credit union service corporations that provide processing services to financial institutions supervised by the FFIEC member Agencies.
A financial institution's use of a TSP to provide needed products and services does not diminish the responsibility of the institution's board of directors and management to ensure that the activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, just as if the institution were to perform the activities in-house.
While the examinations of TSPs generally focus on the underlying information technology (IT) risk, the risk assessment process also considers all business lines in which TSPs engage to ensure that all covered services are effectively included. The Agencies expect financial institutions to have a comprehensive, enterprise risk management process in place that addresses vendor management for their relationships with TSPs. The risk management process should include risk assessments and robust due diligence for the selection of TSPs, contract development, and ongoing monitoring of all TSPs' performance.Additional information on appropriate due diligence and oversight of outsourced technology services and third-party relationships can be found in the FFIEC Information Technology Examination Handbook, (IT Handbook), "Outsourcing Technology Services" booklet.
The Agencies conduct IT-related examinations of financial institutions and their TSPs based on the guidelines contained in the IT Handbook. The handbook is composed of the following individual booklets that address governance of risks expected of financial institutions and their TSPs as well as detailed examination procedures:
- Business Continuity Planning
- Development and Acquisition
- Electronic Banking
- Information Security
- Outsourcing Technology Services
- Retail Payment Systems
- Supervision of Technology Service Providers
- Wholesale Payment Systems
Management of financial institutions and TSPs should be aware of the guidance described in the IT Handbook.