The Supervision of Technology Service Providers - the FFIEC’s latest Booklet
By Charles Lybrand, Consultant, Coalfire
The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions.
In a nutshell, the FFIEC provides field examiners with IT Booklets as an IT audit standard for banks, credit unions, and other financial institutions. The FFIEC releases new booklets every few years and in 2012, they released updates to two booklets: Audit (Aud) and Supervision of Technology Service Providers (TSP). With this in mind, what does the TSP booklet mean and what should you be doing in regards to the latest 27-page booklet?
As always, the vendor management process is a vital aspect to every company. Third-party providers are not only critical to a company’s bottom line, but they can create risk or mitigate risk. Since banks, credit unions, and other financial institutions rely heavily upon third-party vendors for their core systems, vendor management must be a part of enterprise risk management and all critical Technology Service Providers (TSPs).
There have been many prominent examples of third-party data breaches that adversely impacted financial institutions. How prepared is your organization to respond to a third-party breach? Customers and members will hold you responsible when you notify them of a breach. You have to be prepared to not only respond to such incidents, but to help prevent them.
Here are the key aspects and due diligence items for vendor management:
You should have a vendor management policy that is reviewed on an annual basis and assists in understanding and managing the risks associated with vendors or other third-party service providers
You need to conduct appropriate risk-based due diligence in your selection of service providers and vendors
Agreements and contracts with third-party vendors must reflect appropriate language and controls to reduce risk to your organization
You should actively monitor key provisions and controls within vendor agreements for compliance with stated activities
Critical vendors need to be reviewed on an annual basis and actively tracked via spreadsheet or other effective mechanism
An IT examination of vendors as they relate to the technology service provided with adequate results reported is a key element of due diligence.