Pub. 3 2012 Issue 4

www.wvbankers.org 22 Introduction. The Federal Financial Institutions Examination Council recently issued a new Information Tech- nology (IT) Examination Handbook (Handbook) to address regulators’ statu- tory authority to supervise third-party servicers that enter into contractual arrangements with a regulated financial institution (institution). The Handbook is titled “Supervision of Technology Service Providers” (TSP) and was issued in October 2012. Why is this important to an institution? The main reason is that, while an institution can outsource certain processes to more cost effectively provide a product or service to their customers, the responsibility for provid- ing the product or service still resides with the institution. Specifically, the institution’s board of directors and man- agement are responsible and accountable for ensuring that activities conducted for their customers are conducted in a safe and sound manner. The board of direc- tors and management must also ensure that the institution is in compliance with the applicable laws and regulations. In other words, proceed as if the institution is performing the activities in-house. This article provides an overview of the IT Examination Handbook addressing the TSP, with an emphasis on risks and considerations of the institution. History. The revised TSP IT Examina- tion Handbook replaces the March 2003 edition and rescinds the Supervisory Policy 1, “Interagency EDP Exami- nation, Scheduling and Distribution Policy”, September 1991 (Revised) and Supervisory Policy 11, “Enhanced Su- pervision Program for Multidistrict Data Processing Servicers, “ January 1995. There have been numerous changes in the services provided since the issuance of the previous guidelines. In addition, there have been changes and increases in the risks with utilizing a technol- ogy service provider. For example, in June 2012, it was reported that Fidelity National Information Services Inc. (FIS) had questions raised by bank regula- tors (FDIC, Federal Reserve Bank of Atlanta and the OCC). In addition, other processors have been reported as encountering data breaches affecting institutions, retailers and card proces- sors including: • Global Payments (January to February 2012) • Citigroup (May 2011) • Epsilon Data Management (April 2011) • Heartland Payment Systems (January 2009) • TJX Companies (January 2007) • CardSystems Solutions (June 2005) In the case of FIS, the focus was on oversight issues following a 2011 breach. The nature of the services provided by the TSPs, along with the information they retain (nonpublic customer and consumer information) have made them prime targets of hackers and intruders. While the Technology Service Provid- ers incorporate various levels of security and controls, it is critical that institu- tions consider the TSPs security posture and culture while assessing their own. Risk Assessment Process. When consid- ering the use of a TSP, it is important that the institution consider the TSP in its risk assessment process. While the natural tendency is to focus on the information technology risk, it is important that the risk assessment also consider all busi- ness lines in which the TSP is engaged to Supervision of Technology Service Providers Why it is Important to a Financial Institution By Chris Joseph, CPA, CISA, CRISC, CITP Q Technology — continued on page 24