FRB: Supervisory Letter SR 95-7 (SPE) on enhanced supervision program for multiregional data processing servicers -- February 9, 1995

TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK

SUBJECT:

Enhanced Supervision Program for Multiregional Data Processing Servicers

The attached policy statement on the "Enhanced Supervision Program for Multiregional Data Processing Servicers (MDPS)" was recently approved by the FFIEC's Task Force on Supervision in order to improve the agencies' understanding of the condition and operations of large EDP service centers between full-scope examinations. This program amends the existing "Interagency EDP Examination, Scheduling, and Report Distribution Policy Statement (SP-1)" which requires that the condition of MDPS vendors "...be monitored between examinations through periodic visitations and progress reports..."

In this regard, the attached statement is intended to formalize many of the agencies' interim monitoring practices and procedures that have evolved informally over the three years since the last revision to SP-1. It is also intended to provide for the uniform implementation of this requirement on an interagency basis.

The statement is effective immediately. Please distribute it to your EDP supervision staff and examiners. It may also be provided to MDPS organizations and others with an interest in EDP supervision policy. Should you or your staff have any questions, please contact Blaine Jones at the Board at (202) 452-3759.

Howard A. Amer
Assistant Director

ATTACHMENT TRANSMITTED ELECTRONICALLY BELOW

Facsimile of FFIEC Logo
Approved January 20, 1995

ENHANCED SUPERVISION PROGRAM FOR MULTIREGIONAL DATA PROCESSING SERVICERS

OBJECTIVE

To establish guidelines to improve the supervision of and communication with the independent data processing service vendors in the Multiregional Data Processing Servicers program.

BACKGROUND

The Information System Subcommittee (the Subcommittee) of the FFIEC Task Force on Supervision has developed an Enhanced Supervision Program (ESP) for Multiregional Data Processing Servicers (MDPS). The MDPS examination program presently covers 17 nonbank EDP vendors that provide key data processing services to more than half of the federally insured depository institutions. In recent years, many of the country's larger depository organizations have outsourced their EDP operations which has increased further the industry's dependence on outside service bureaus. Most vendors service institutions through regional data centers. The institutions depend on the quality and continuity of these services to conduct their business. Disruptions in services at a single vendor, as a result of either financial or operational conditions, could cause substantial systemic risk in the industry.

The core element of the interagency MDPS program continues to be the on-site Information Systems examination. The FFIEC's Interagency EDP Examination, Scheduling and Distribution Policy, as amended in 1991, identifies the frequency for examinations under the MDPS program. Those vendors, rated 1 or 2 are examined on a 24 month examination cycle; vendors rated 3, on an 18 month cycle; and vendors rated 4 or 5, on a 12 month cycle. As part of each examination, the agency-in-charge is responsible for formulating and implementing a supervisory strategy.

ENHANCED SUPERVISORY PROGRAM (ESP)

The ESP supplements existing on-site examinations with interim reviews of material changes in the vendor's activities and condition. The ESP should allow each agency to more promptly recognize and supervise risks associated with the concentration of services in vendors.

The interim reviews will follow up on matters from the previous examination, assess major changes (e.g. in the vendor's business plan, the number and type of financial institutions serviced, corporate/management structure, financial condition, and hardware and software), and plan subsequent reviews and examinations. The scope and frequency of the interim reviews will vary depending on the condition and/or degree of change in the vendor. However, vendors that are on a 24 month examination cycle are expected to receive a minimum of two interim reviews and vendors on 12 or 18 month cycles are expected to receive at least one interim review.

Reviews may be conducted through correspondence, telephone interviews, and/or other requests for information if the agency-in-charge is able to obtain the information necessary to evaluate the vendor's condition and stay abreast of material changes in its activities and operations without going on-site to collect the information. Interim reviews for vendors rated 3, 4, or 5, and those experiencing major changes in their activities and operations, are expected to be on-site visits.

If visits are necessary they will be conducted at the corporate headquarters of the vendor and ordinarily will not include branch or subsidiary data center sites. However, if necessary, examiners may visit additional sites. If the agency-in-charge requires assistance from examiners from other agencies, the Subcommittee should be informed as early as possible to facilitate coordination.

REPORTING

The agency-in-charge (AIC) will be responsible for preparing a brief summary memorandum documenting findings, conclusions, and recommendations from each interim review. That memorandum is an internal document and is not intended for distribution. The memorandum will be provided to the Subcommittee and shared with the agencies, as appropriate. The memorandum should include a brief discussion of:

The vendor's progress in addressing recommendations presented in the last examination;
The vendor's progress in addressing recommendations presented in selected internal and external audit reports;
Any deterioration in financial condition or other matters that threaten the vendor's viability or its ability to continue to provide uninterrupted service;
Recommendations regarding frequency, timing, scope, and locations of future reviews and examinations; and
A listing of participating examiners, agencies and duration of participation.

At the conclusion of the interim review, a brief overview of the examiner's conclusions and any material findings or recommendations should be discussed with the vendor. Unless the agency-in-charge considers it necessary, there is no need for a formal close-out meeting with the vendor's directors or their designated compliance or audit committees.

If the agency-in-charge prepares separate written correspondence for the vendor, a copy of the letter will be provided to the Subcommittee.

ROLE OF THE INFORMATION SYSTEMS SUBCOMMITTEE

In order for the Subcommittee to provide for consistency in the conduct of the program and to assure effective coordination and scheduling of examiner resources, the AIC will provide the Subcommittee with a strategy for supervising the vendors. That strategy will include information on the agency's proposed schedule and scope for the conduct of examinations and anticipated interim reviews. The Subcommittee will provide guidance to the member agencies in their conduct of interim reviews.

In developing this program, the Subcommittee has designed the frequency, scope, and reporting requirements for interim reviews so as not to require significant additional examiner resources for the supervision of vendors. The Subcommittee anticipates that the interim reviews will permit the AIC to be more familiar with the vendors and, therefore, will reduce the time spent on the examination.