The Agencies recognize that management practices, particularly as they relate to risk management, vary considerably among financial institutions and TSPs, depending on their size and sophistication, the nature and complexity of their business activities, and their risk profile. Accordingly, the Agencies also recognize that for less complex information systems environments, detailed or highly formalized systems and controls may not be required.
Financial institutions should oversee their TSPs and perform due diligence in selecting their third-party servicers, including a review of the risk management systems used by the TSPs. Such reviews should include measures taken by the TSPs to protect information about financial institutions' customers. Financial institutions also should monitor their TSPs to confirm the TSPs implement adequate security measures. As part of their monitoring activities, financial institutions should review such information as TSP service-level reports, audits, third-party reviews, internal control testing results, and other equivalent evaluations of their TSPs.
If a TSP has weak risk management controls requiring corrective action, the TSP's serviced institutions may also have to take remedial actions because the institutions have the ultimate responsibility to properly manage their risks. Management of TSPs and financial institutions should monitor changes in laws, regulations, and guidance that affects the services provided to financial institutions.
Risks Associated With TSPs
Audit and Internal Controls