ENHANCED SUPERVISION PROGRAM FOR MULTIREGIONAL DATA PROCESSING SERVICERS OBJECTIVE To establish guidelines to improve the supervision of and communication with the independent data processing service vendors in the Multiregional Data Processing Servicers program. BACKGROUND The Information System Subcommittee (the Subcommittee) of the FFIEC Task Force on Supervision has developed an Enhanced Supervision Program (ESP) for Multiregional Data Processing Servicers (MDPS).  The MDPS examination program presently covers 17 nonbank EDP vendors that provide key data processing services to more than half of the federally insured depository institutions.  In recent years, many of the country's larger depository organizations have outsourced their EDP operations which has increased further the industry's dependence on outside service bureaus.  Most vendors service institutions through regional data centers.  The institutions depend on the quality and continuity of these services to conduct their business. Disruptions in services at a single vendor, as a result of either financial or operational conditions, could cause substantial systemic risk in the industry. The core element of the interagency MDPS program continues to be the on-site Information Systems examination.  The FFIEC's Interagency EDP Examination, Scheduling and Distribution Policy, as amended in 1991, identifies the frequency for examinations under the MDPS program.  Those vendors, rated 1 or 2 are examined on a 24 month examination cycle; vendors rated 3, on an 18 month cycle; and vendors rated 4 or 5, on a 12 month cycle. As part of each examination, the agency-in-charge is responsible for formulating and implementing a supervisory strategy.   ENHANCED SUPERVISORY PROGRAM  (ESP) The ESP supplements existing on-site examinations with interim reviews of material changes in the vendor's activities and condition.  The ESP should allow each agency to more promptly recognize and supervise risks associated with the concentration of services in vendors. The interim reviews will follow up on matters from the previous examination, assess major changes (e.g. in the vendor's business plan, the number and type of financial institutions serviced, corporate/management structure, financial condition, and hardware and software), and plan subsequent reviews and examinations.  The scope and frequency of the interim reviews will vary depending on the condition and/or degree of change in the vendor.  However, vendors that are on a 24 month examination cycle are expected to receive a minimum of two interim reviews and vendors on 12 or 18 month cycles are expected to receive at least one interim review. Reviews may be conducted through correspondence, telephone interviews, and/or other requests for information if the agency-in-charge is able to obtain the information necessary to evaluate the vendor's condition and stay abreast of material changes in its activities and operations without going on-site to collect the information.  Interim reviews for vendors rated 3, 4, or 5, and those experiencing major changes in their activities and operations, are expected to be on-site visits.   If visits are necessary they will be conducted at the corporate headquarters of the vendor and ordinarily will not include branch or subsidiary data center sites.  However, if necessary, examiners may visit additional sites.  If the agency-in-charge requires assistance from examiners from other agencies, the Subcommittee should be informed as early as possible to facilitate coordination. REPORTING The agency-in-charge (AIC) will be responsible for preparing a brief summary memorandum documenting findings, conclusions, and recommendations from each interim review.  That memorandum is an internal document and is not intended for distribution.  The memorandum will be provided to the Subcommittee and shared with the agencies, as appropriate.  The memorandum should include a brief discussion of: The vendor's progress in addressing recommendations presented in the last examination;      The vendor's progress in addressing recommendations presented in selected internal and external audit reports; Any deterioration in financial condition or other matters that threaten the vendor's viability or its ability to continue to provide uninterrupted service; Recommendations regarding frequency, timing, scope, and locations of future reviews and examinations; and A listing of participating examiners, agencies and duration of participation.   At the conclusion of the interim review, a brief overview of the examiner's conclusions and any material findings or recommendations should be discussed with the vendor.  Unless the agency-in-charge considers it necessary, there is no need for a formal close-out meeting with the vendor's directors or their designated compliance or audit committees. If the agency-in-charge prepares separate written correspondence for the vendor, a copy of the letter will be provided to the Subcommittee. ROLE OF THE INFORMATION SYSTEMS SUBCOMMITTEE In order for the Subcommittee to provide for consistency in the conduct of the program and to assure effective coordination and scheduling of examiner resources, the AIC will provide the Subcommittee with a strategy for supervising the vendors.  That strategy will include information on the agency's proposed schedule and scope for the conduct of examinations and anticipated interim reviews.  The Subcommittee will provide guidance to the member agencies in their conduct of interim reviews. In developing this program, the Subcommittee has designed the frequency, scope, and reporting requirements for interim reviews so as not to require significant additional examiner resources for the supervision of vendors.  The Subcommittee anticipates that the interim reviews will permit the AIC to be more familiar with the vendors and, therefore, will reduce the time spent on the examination.