Pub. 3 2012 Issue 4

www.wvbankers.org 24 perform for the institution. As indicated in the Handbook, “The Agencies expect financial institutions to have a comprehensive, enterprise risk management process in place that addresses vendor management for their relationships with TSPs”. The risk assessment process should be exercised during the selection of the TSP, contract development and ongoing monitoring. The Handbook noted various issues as it relates to the un- derlying risks that affect the institution and the institution’s customers including: • Management of technology – Does the direction of the TSP and their products offerings adequately address the institutions’ short and long term strategic initiatives? • Integrity of data – How accurate and reliable is data processed through the TSP? • Confidentiality of information – Has the TSP considered the protection of non-public customer and consumer information - ensuring that the institution considers the confidentiality of the information entrusted to them while being processed and retained by the TSP? • Availability of services – Are the performance standards documented in the service level agreement satisfactory to service the institution’s customers? How well do the TSP’s disaster recovery / business continuity plan serve the institution and institution customers? How well did the TSP performed during the June 2012 derecho and during Hurricane Sandy? • Compliance – How well does the TSP enable the institution to comply with laws and regulations? • Financial stability – How financially stable is the TSP in order to support the operations and product services the institution is relying upon to service the institution’s customers? These underlying issues all affect the risks associated with TSPs including (1) operational risk, (2) reputation risk, (3) strategic risk, (4) compliance (legal) risk and (5) credit, interest rate, liquidity, and price (market) risks. While all of the risk areas are significant, the operational risk is the primary risk associated with utilizing a TSP. Operational risk is affected by multiple issues. As noted in the Handbook, “The quantity of operational risk at a TSP is the level or volume of risk that exists. The qual- ity of operational risk management is an assessment of how well risks are identified, measured, controlled and monitored”. Monitoring. The level of monitoring and controls to be conducted by the institution is influenced by the size, complex- ity, sophistication and nature of the services being contracted by the institution with the TSP. Regardless of the level, the institution should ensure procedures are implemented to over- see the TSPs utilized. The steps performed by the institution should include: • Review the risk management systems used by the TSP • Review available third party audit reports over the TSP controls (i.e. SOC 1) • Internal control testing conducted by the TSP • Review of audited financial statements of the TSP • Identifying and reviewing reports available from the TSP for service quality and interruption • Security testing activity conducted on the TSP • Review the Agencies Report of Examination (ROE) on the TSP. The ROE includes an “Open Section” which includes all significant findings and conclusions that is available to a serviced institution. The Open Section of the ROE is either distributed automatically to a serviced institution or upon request. When the composite Uniform Rating System for Information Technology of the TSP is a 4 or 5, the ROE is automatically sent to the serviced institution. A copy of the ROE can also be obtained provided the serviced institution can demonstrate they had a valid and current contract with the TSP as of the date of the examination. Other activities should be considered by the institution de- pending on the specific services being provided by the TSP for the institution. Conclusion. As the number of products increases, technology changes, and the regulatory landscape evolves, the use of TSPs is becoming more and more significant. The financial institu- tion should ensure their risk management process includes the use of TSPs to adequately address the risks introduced with using TSPs to provide customer products and services. Q Chris Joseph is a PLLC Member of Arnett Foster Toothman PLLC, Certified Public Accountants, in the Charleston, West Virginia office. A Certified Public Accountant, Certified Information System Auditor, Certified in Risk and Information Systems Control and Certified Information Technology Professional, Mr. Joseph has over twenty-seven years experience in information technology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: chris.joseph@afnetwork.com . Q Technology — continued from page 22 The financial institution should ensure their risk management process includes the use of TSPs to adequately address the risks introduced with using TSPs to provide customer products and services.