ENHANCED SUPERVISION PROGRAM FOR MULTIREGIONAL DATA PROCESSING
SERVICERS To establish guidelines to improve the supervision of and communication with the
independent data processing service vendors in the Multiregional Data Processing Servicers
program. BACKGROUND The Information System Subcommittee (the Subcommittee) of the FFIEC Task Force on
Supervision has developed an Enhanced Supervision Program (ESP) for Multiregional Data
Processing Servicers (MDPS). The MDPS examination program presently covers 17
nonbank EDP vendors that provide key data processing services to more than half of the
federally insured depository institutions. In recent years, many of the
country's larger depository organizations have outsourced their EDP operations which has
increased further the industry's dependence on outside service bureaus. Most
vendors service institutions through regional data centers. The institutions
depend on the quality and continuity of these services to conduct their business.
Disruptions in services at a single vendor, as a result of either financial or operational
conditions, could cause substantial systemic risk in the industry. The core element of the interagency MDPS program continues to be the on-site
Information Systems examination. The FFIEC's Interagency EDP Examination,
Scheduling and Distribution Policy, as amended in 1991, identifies the frequency for
examinations under the MDPS program. Those vendors, rated 1 or 2 are examined
on a 24 month examination cycle; vendors rated 3, on an 18 month cycle; and vendors rated
4 or 5, on a 12 month cycle. As part of each examination, the agency-in-charge is
responsible for formulating and implementing a supervisory strategy. ENHANCED SUPERVISORY PROGRAM (ESP) The ESP supplements existing on-site examinations with interim reviews of material
changes in the vendor's activities and condition. The ESP should allow each
agency to more promptly recognize and supervise risks associated with the concentration of
services in vendors. The interim reviews will follow up on matters from the previous examination, assess
major changes (e.g. in the vendor's business plan, the number and type of financial
institutions serviced, corporate/management structure, financial condition, and hardware
and software), and plan subsequent reviews and examinations. The scope and
frequency of the interim reviews will vary depending on the condition and/or degree of
change in the vendor. However, vendors that are on a 24 month examination cycle
are expected to receive a minimum of two interim reviews and vendors on 12 or 18 month
cycles are expected to receive at least one interim review. Reviews may be conducted through correspondence, telephone interviews, and/or other
requests for information if the agency-in-charge is able to obtain the information
necessary to evaluate the vendor's condition and stay abreast of material changes in its
activities and operations without going on-site to collect the
information. Interim reviews for vendors rated 3, 4, or 5, and those
experiencing major changes in their activities and operations, are expected to be on-site
visits. If visits are necessary they will be conducted at the corporate headquarters of the
vendor and ordinarily will not include branch or subsidiary data center
sites. However, if necessary, examiners may visit additional
sites. If the agency-in-charge requires assistance from examiners from other
agencies, the Subcommittee should be informed as early as possible to facilitate
coordination. REPORTING The agency-in-charge (AIC) will be responsible for preparing a brief summary memorandum
documenting findings, conclusions, and recommendations from each interim
review. That memorandum is an internal document and is not intended for
distribution. The memorandum will be provided to the Subcommittee and shared
with the agencies, as appropriate. The memorandum should include a brief
discussion of:
At the conclusion of the interim review, a brief overview of the examiner's conclusions
and any material findings or recommendations should be discussed with the
vendor. Unless the agency-in-charge considers it necessary, there is no need
for a formal close-out meeting with the vendor's directors or their designated compliance
or audit committees. If the agency-in-charge prepares separate written correspondence for the vendor, a copy
of the letter will be provided to the Subcommittee. ROLE OF THE INFORMATION SYSTEMS SUBCOMMITTEE In order for the Subcommittee to provide for consistency in the conduct of the program and to assure effective coordination and scheduling of examiner resources, the AIC will provide the Subcommittee with a strategy for supervising the vendors. That strategy will include information on the agency's proposed schedule and scope for the conduct of examinations and anticipated interim reviews. The Subcommittee will provide guidance to the member agencies in their conduct of interim reviews.
|