This memorandum represents the Division of Supervision and Consumer Protection (DSC) response to the draft report entitled, FDIC's Oversight of Technology Service Providers (2005-046) prepared by the FDIC's Office of Inspector General (OIG). The stated objective of the OIG audit was to determine the FDIC's examination coverage of technology service providers (TSPs) and related efforts to protect sensitive customer information in response to various reported security breaches in the financial industry in 2005. Specifically, this audit assessed the FDIC's oversight process for identifying and monitoring TSPs used by FDIC-supervised institutions and for prioritizing examination coverage.

The FDIC has long recognized that the protection of sensitive customer information either at financial institutions or service providers is a significant consumer protection and safety and soundness risk area. The FDIC's commitment to the protection of customer information is demonstrated by our proactive approach to enforcing data security regulations and guidance and by our overall identity theft strategy. The OIG audit contains several findings and six recommendations. As discussed below, DSC has already implemented or considered many of the recommendations. DSC also agrees with the remaining recommendations and will work with our interagency partners to enhance our supervisory programs.

OVERVIEW

To address the specialized nature of technology related supervision, risks, and controls in the banking industry, the FDIC regularly and routinely evaluates all of its regulated financial institutions' information security programs through our information technology (IT) supervision program, as well as enforcing legal privacy requirements through our compliance examination program. The FDIC also conducts IT examinations of major TSPs that support financial institutions. IT examinations of financial institutions are most often conducted by the FDIC in conjunction with safety and soundness examinations under authority granted by the FDI Act and the Gramm Leach Bliley Act (GLBA) while IT examinations of TSPs are conducted under authority granted by the Bank Service Company Act (BSCA), usually on an interagency basis.

IT examinations of both financial institutions and TSPs are conducted to ensure the continued safe and sound operation of the financial institution(s) including the protection of customer information. IT examination procedures for both financial institutions and TSPs review IT infrastructure, processes, security, and management oversight to assess control over the confidentiality, integrity, and availability of sensitive, material, and critical bank and customer information.

IT Supervision Program

The FDIC, as part of its comprehensive IT supervision program, conducts examinations, develops industry and examiner guidance, trains examiners, develops and coordinates outreach, and conducts research related to information security and identity theft to ensure and promote information security across the industry.

IT examinations are performed in banks as part of regularly scheduled safety and soundness examinations to ensure adequate confidentiality, integrity, and availability of bank systems and to determine compliance with GLBA customer information security standards. Although the FDIC has authority under GLBA to enforce the customer information security standards in the banks it regulates, the Federal Trade Commission (FTC) has enforcement authority for any TSPs that are covered by GLBA, including those that may be examined by the FDIC under the BSCA. The FDIC ensures that banks enforce GLBA standards on the TSPs they contract with. IT examinations include assessments of the bank's oversight of TSPs through the bank's vendor management process.

The FDIC, in partnership with other Federal banking agencies, has a well defined program to identify, risk rank, and examine information security in the TSPs that pose a risk to financial institutions. The FDIC has examined data security controls in TSPs since the enactment of the BSCA in 1962. The BSCA gives Federal banking agencies broad examination authority over a variety of organizations which perform permissible bank services for a bank by contract or otherwise. While permissible bank services are described in the BSCA, the listing is not intended to be exhaustive. The FDIC and other agencies currently use the BSCA to examine a variety of technology services such as Internet banking, web hosting, imaging and e-safekeeping, ATM processing, electronic bill pay, and credit card processing. The FDIC, and other members of the Federal Financial Institutions Examination Council (FFIEC), jointly administers IT examinations of all systemically significant TSPs through its IT Subcommittee and the guidance established in the FFIEC IT Examination Handbooks.

The FFIEC IT Subcommittee directly administers the examination process for the most significant TSPs in a national TSP examination program called Multiregional Data Processing Servicers (MDPS) examinations. Currently there are 17 TSPs in the national MDPS program administered by the FFIEC. These TSPs have multiple examination activities through out the cycle at different facilities resulting in 110 separate examination activities in the 2005/2006 examination cycle. The FDIC is serving as Agency-in-Charge for 58 of those examinations. The IT Subcommittee meets at least monthly to discuss relevant issues related to the examination process and issues related to TSPs. A monthly MDPS tracking report is updated and monitored by the FFIEC.

In addition to the national MDPS program, each FFIEC member agency conducts regional TSP examinations administered at the regional level. Many of these examinations are also conducted on an interagency basis. The regional representatives for each agency meet regularly to identify and schedule regional TSP examinations. A global list of all the regional TSP examinations is updated on an annual basis in the I" quarter of the year and shared among agencies at a national level. Currently, the FDIC is serving as Agency-in-Charge of over 77 regional TSP examinations and participating in many more led by other agencies.

Examiner Guidance

The standards and guidelines for the national and regional TSP examinations are determined on an interagency basis and published in the FFIEC IT Examination Handbooks. This guidance is updated on a two year cycle to identify new examination and risk identification techniques. For example, in February 2006, the FFIEC issued an updated Examination Priority Ranking Sheet (EPRS) as part of the new Risk-Based Examination Priority Ranking Program (RB-EPRP).

MDPS and regional TSP reports of examination are shared with other agencies in accordance with standards and procedures outlined in the FFIEC IT Examination Handbooks. Each agency stores and tracks the results of examinations. The FDIC's centralized database called the Virtual Supervisory Information on the Net (ViSION) is used to store examination information.

The standards and guidelines for conducting IT examinations of financial institutions are published in the FDIC's Information Technology Risk Management Program (IT-RMP). IT-RMP is a risk-based examination process which incorporates a variety of optional work programs such as the IT General Workprogram. These work programs address a variety of information security issues including GLBA and the notification requirements of the BSCA (section 7(c)(2)).

Industry Guidance

In addition to the joint FFIEC IT Examination Handbooks, the FDIC has issued a wide variety of guidance to the industry related to information security or preventing identity theft. In the last five years the FDIC has issued guidance on foreign and domestic outsourcing, authentication, spyware, phishing, pharming, customer response programs, disposal of customer information, software due diligence, instant messaging, patch management, pre-text calling, and more.

DSC also develops and coordinates outreach events and conducts research on identity theft and data security issues beneficial to the banking industry and consumers. As a result of recent FDIC studies regarding identity theft, the FDIC effected interagency guidance, in October 2005, requiring financial institutions and their TSPs to improve authentication methods for high-risk transactions that could result in identity theft, or allow fraud resulting from credential theft.

OIG FINDINGS, RECOMMENDATIONS AND DSC RESPONSES

Finding A: Inventory of TSPs

The OIG draft report concluded that:

DSC does not have a current, accurate, and complete inventory of TSPs that are used by FDIC-supervised institutions and have access to sensitive customer information. Instead, the inventory is largely limited to those TSPs that are subject to separate examinations under FFIEC guidelines. In addition, TSPrelated data, including data related to TSP processing of sensitive customer information, needed to perform thorough risk assessments and make fully informed decisions on examination priorities is not readily available for use in support of the TSP examination process. The primary causes of this condition are (1) outdated guidance to institutions on BSCA compliance, (2) no formal requirement for examiners to assess the adequacy of institution compliance with BSCA notification requirements, and (3) weaknesses in controls for obtaining and maintaining TSP data in the ViSION system from both BSCA notifications and IT examinations.

DSC agrees that improvements should be made. DSC relies upon its well-proven on-site IT examinations of financial institutions as the primary method for identifying a bank's TSP relationships. On-site examiners review the bank's vendor management process and identify relationships with TSPs. Examiners currently enter this information in the FDIC's centralized ViSION database. Our experience has shown that examination data derived from on-site examiner assessment is more complete and reliable than secondary forms of reported data.

The OIG report identified data integrity issues with ViSION. DSC recognizes that data integrity issues did occur as a result of an extensive multipart upgrade and conversion from the FDIC's outmoded legacy system to ViSION carried out in March 2005. Immediately thereafter, DSC implemented a data correction process. The ViSION database listing of TSPs was substantially corrected by the end of 2005 and DSC has a high level of confidence in the current database.

In addition to examination results, DSC utilizes BSCA notifications to ensure that it identifies those TSPs which may impact financial institutions and their customers. These notifications were established under the 1962 BSCA, which requires a financial institution to give its primary federal regulator notice of the existence of TSP relationships "within 30 days of the making of the contract or the performance of the service, whichever comes first." The content and decentralized reporting process for the notifications, as determined by the BSCA, does not correspond well to the advanced technology services and relationships that FDIC examiners encounter today. Thus, DSC considers the notifications to be a less reliable source for identifying TSP relationships. DSC agrees that centralized tracking of these notices would be beneficial. To that end, DSC has created an interim stand-alone database to centralize BSCA notice results. As discussed below, DSC continues its efforts to implement a system that integrates this database with FDIC's VISION database and will discontinue the interim database upon completion.

OIG Recommendations Regarding Finding A and DSC Responses

1. Assess, in conjunction with the other federal banking agencies, regulatory and other options for establishing and maintaining a current, accurate, and complete inventory of TSP information through the use of BSCA notifications, examination results, and other available data. Consideration should be given specifically to the content of BSCA notifications, the initiation and termination of TSP relationships, third-party reviews and other oversight of TSPs, and the processing of sensitive customer information.

DSC agrees that the FDIC would benefit from enhancing the centralized collection of TSP data and has already taken steps to improve the centralized collection of TSP data on both an interagency basis and internally. DSC will assess its options for improving the accuracy and completeness of our inventory of TSP information and will vet the issues raised in this recommendation with the other FFIEC agencies. This action will be completed by March 30, 2007.

2. Revise IT examination guidance to address coverage of financial institution compliance with BSCA notification requirements.

DSC agrees that IT examination procedures should include an option for a compliance review of BSCA notifications and already has included such a review in the IT General Workprogram. As indicated in our response to OIG recommendation number 4 below, DSC will review the IT Officer's Questionnaire for appropriate inclusion of BSCA notification requirements. This action will be completed and enhanced guidance will be issued by March 30, 2007.

3. Establish policy and procedures for updating ViSION with information from BSCA notifications and the results of IT examinations, and discontinue use of a separate database for tracking these notifications.

DSC agrees with this recommendation as it reflects current system development plans. The separate database is an interim solution until the data can be incorporated into the ViSION database. DSC will propose to the appropriate FDIC committees that the FDIC develop a centralized collection system to add BSCA notifications to the ViSION architecture. DSC will complete this action by March 30, 2007.

4. Establish controls as part of DSC's implementation of the FDIC Data Stewardship Program to ensure the reliability and usefulness of TSP data in VISION. Consideration should specifically be given to:

• Modifying the Technology Profile Script, Officer's Questionnaire, and IT ViSION Template to identify all TSPs used by a financial institution and the relevant risk factors, including those that process sensitive customer information and third-party review results.

DSC agrees with the intent of this recommendation and has identified a preferred alternative. The purpose of the Technology Profile Script is to identify the complexity of technology wholly within the financial institution for the purpose of assigning an appropriate skilled examiner to examine the data center within the financial institution. Thus, DSC does not believe that modifying this specific Technology Profile Script form is the best solution for identifying risks within a TSP and ensuring data reliability.

As an alternative action, DSC will review the IT Officer's Questionnaire and include a self assessment item for BSCA notification requirements where appropriate. This action will be completed by March 30, 2007. Additionally, as risk ranking methods for TSPs are determined on an interagency basis; DSC will evaluate and consider additional risk ranking measures for TSPs and will propose any relevant findings to the FFIEC IT Subcommittee for consideration. This action will also be completed by March 30, 2007,

• Validating, as part of the supervisory process, TSP information in the VISION IT Examination Module.

DSC agrees that data integrity is important and has already completed a data integrity validation process as part of its system conversion process which eliminated many of the errors noted in the draft report. DSC will review our current TSP controls and consider the opportunity for further enhancement. If enhancements are needed they will be implemented to ensure the continued data integrity of ViSION data. These actions will be completed by March 30, 2007.

• Enhancing the VISION report retrieval process to allow for the retrieval of information by TSP, to include data on all financial institutions serviced, as well as by institution, to include all TSPs used.

DSC evaluated this recommendation and determined that the ViSION database currently allows the report generating function as described by the OIG. ViSION capability currently includes the ability to report all TSPs for a given institution and all institutions serviced by a given TSP. No DSC action is warranted given that the recommended data retrieval process is available and functioning properly.

Finding B: Obtaining and Completing Examination Priority Ranking System (EPRS) Information

The OIG draft report concluded in part that:

The FDIC's participation in the risk-based supervisory process of TSPs used by the federal banking agencies could be improved. The FDIC was not always obtaining and completing EPRS information used in scheduling and prioritizing TSP examinations in accordance with FFIEC guidance. In addition, FDIC guidance does not address the agencies' consideration of the TSPs' processing of sensitive customer information when ranking TSPs as part of the EPRS process. As a result, FFIEC decisions and FDIC input into those decisions on the risks posed by TSPs and the frequency and extent of TSP examinations could lack sufficient support.

The OIG's observations were based upon sampling results that were derived from the interagency pilot program that covered EPRS information processes. Under the pilot program the EPRS was not a mandatory part of the Report of Examination. After sufficient testing, a new Risk Based-Examination Priority Ranking Program (RB-EPRP) was adopted by the FFIEC and made permanent through the issuance of an FFIEC memorandum dated February 13, 2006. The program was officially distributed to FDIC examiners through DSC RD Memorandum 06-013 published on May 1, 2006. The provisions of the program now extend to all TSPs and the ranking form, previously called the EPRS, will be the first two pages of the confidential section of the TSP Report of Examination. The TSP IT Handbook is currently being rewritten, by the FFIEC to include the new procedures. As a result, supervisory decisions based upon this data now have sufficient support.

OIG Recommendations Regarding Finding B and DSC Responses

5. Issue supplemental guidance to the TSP Handbook on the completion and sharing of EPRSs among the federal banking agencies and the consideration of TSPs' processing of sensitive customer information in assigning risk factors to the TSPs.

As described above, supplemental guidance has been issued by the FFIEC and the FDIC. Additionally, FDIC will raise the topic of including "sensitive customer information" in the risk ranking method to the FFIEC IT Subcommittee for discussion and consideration. This action will be completed by September 30, 2006.

6. Assess the merits of implementing an automated process, including the use of ViSION, for collecting, storing, monitoring, and sharing EPRSs and other TSP-related information with the other federal banking agencies comprising the FFIEC.

The FFIEC is currently reviewing the technical feasibility of adopting a system for entering and sharing RB-EPRP form data between agencies. DSC will forward this OIG recommendation to the FFIEC IT Subcommittee for interagency review and consideration. DSC will complete this action by September 30, 2006.