Just posted, the new Booklet rescinds and replaces the previous one issued in March 2003, and is the first Booklet replacement since Retail Payment Systems in 2010. In general this is not so much a complete re-write as a reinforcement of the importance the agency places on strong vendor management, which is a concept that we’ve seen from other recent FFIEC releases and updates.
So with all the similarity between this new publication and the one almost 10 years ago, I think it’s instructive to focus on the differences between the two to see how the FFIEC’s thinking has evolved. It also allows the institutions affected to know exactly what they need to change or adjust to remain in compliance.
First of all, both Booklets state the following:
“A financial institution’s use of a TSP (technology service provider) to provide needed products and services does not diminish the responsibility of the institution’s board of directors and management to ensure that the activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations…”
and perhaps for extra emphasis the new Booklet adds the following verbiage:
“…just as if the institution were to perform the activities in-house.”
Nothing new here, all institutions are acutely aware that they bear full responsibility for the confidentiality, integrity and availability of their customer’s data regardless of where it may reside. This re-statement is perhaps insignificant by itself, but interesting when taken in combination with the next sentence:
Old guidance – “Financial institutions should have a comprehensive outsourcing risk management process to govern their TSP relationships.”
New guidance – “Agencies expect financial institutions to have a comprehensive, enterprise risk management process in place that addresses vendor management for their relationships with TSPs.”
What is significant here is the addition of the word “enterprise” to the risk management process, indicating that you must acknowledge that vendors carry multidimensional risks. These risks include not just operational risk (risk of failure), but strategic risk, regulatory risk and reputation risks as well.
However to me the most significant change in the guidance is in the sentence beginning with “…(the risk management) process should include…”, because this is what the regulators will expect from you. Compare these:
Old guidance – “Such processes should include risk assessment, selection of service providers, contract review, and monitoring of service providers.”
New guidance – “The risk management process should include risk assessments and robust due diligence for the selection of TSPs, contract development, and ongoing monitoring of all TSPs’ performance.”
It’s clear that regulators will expect much more from your vendor risk management process going forward. Not simply selecting a service provider, but robust due diligence in the selection process. Not just contract review, but contract development. And not just basic monitoring, but ongoing monitoring of all TSP’s performance.
The new guidance goes on to state that federal regulators expect technology service providers to be familiar with, and adhere to, not just this Booklet, but all 11 Booklets in the IT Examination Handbook series. One more reinforcement that there are not 2 standards of measurement…one for financial institutions and one for vendors…but only one. And that one same standard will be enforced by the same federal regulators that currently examine you.
The guidance goes on to describe how they will classify service providers (by size and criticality of the services they provide), and how that classification will determine who will examine them, and how often they can expect to be examined. As far as who can expect to be examined, any service provider that provides any of the following services:
- Core application processors
- Electronic funds transfer switches
- Internet banking providers
- Item processors
- Managed security servicers
- Data storage servicers
- Business continuity providers
So pretty much anyone that provides an application, system, or process that is vital to the successful continuance of a critical business activity, or anyone that interfaces with a critical business system, can expect to be examined.
Aside from being more comprehensive, the actual examination process hasn’t changed much. Examiners will still scrutinize the AMDS (Audit, Management, Development and Acquisition, and Support and Delivery) components, and will still assign a 1 through 5 numerical score to each component with 1 representing the highest or best, and 5, the lowest rating or worst. Examiners will then use the component scores to determine the overall composite rating. Again, nothing new there.
So in summary, not a drastic change as much as a reiteration with amplification and clarification. Simply put, more of the same…more regulatory expectations for your vendor management program, which means more scrutiny by the examiners (for you and for your vendors), all of which means more effort on everyone’s part!