Where in the handbook does it state the Bank should request exam reports on vendors from their regulatory body?
Although there is no formal FFIEC written requirement for obtaining the service provider’s regulatory examination report (report of examination, or ROE), it is mentioned as a best practice in the FFIEC 2012 TSP Handbook:
The Agencies distribute to serviced financial institutions, either automatically or upon request, the Open section of a TSP ROE. Reports are automatically distributed when the TSP receives a composite URSIT rating of 4 or 5. A serviced financial institution can request a copy of the ROE from the institution’s primary regulator and must demonstrate that it had a valid and current contract with the TSP as of the date of the examination.
However there have been a couple of recent developments that have, in my opinion, increased the ROE from a best practice to a requirement. First, in 2012 the head of IT risk at the FDIC (and co-author of many of the IT handbooks) Don Saxinger, said in an ABA Telephone Briefing that:
“The No. 1 issue (in FDIC IT examinations in which bank ratings were downgraded) that a lot of examiners told me was the banks are not requesting copies of the exams of their service providers. We do examine service providers. It would be a very good monitoring and continued due diligence practice to see what the regulators are saying about your service providers.”
Second, at the end of last year the Federal Reserve issued their “Guidance on Managing Outsourcing Risk”. In it they state:
If the service provider delivers information technology services, the financial institution can request the FFIEC Technology Service Provider examination report from its primary federal regulator.
So when regulators say “…it would be good monitoring…” and “…you can request…”, what they are really saying is that you better have a pretty good reason if you _don’t_ do it! Again, you’ll automatically get a copy of the ROE if the vendor scores a 4 or 5, but what these recent events tell me is that this is a de facto requirement and that you shouldn’t wait to hear from the regulator…or the vendor.
So add this to your list of vendor controls. Reach out to your critical, high-risk vendors and ask if they’ve had a regulatory examination. If they say yes, call your primary federal examiner and request a copy. (ROE’s have 2 sections; confidential and open. The only copy you are allowed to see is the open section.) Finally, review the report to see if it contains any information that may require additional action on your part.