Footnote 1:  According to Interagency Guidelines Establishing Information Security Standards (Appendix B to Part 364 of the FDIC Rules and Regulations), service provider—“means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the bank.”

Footnote 2:  Sensitive customer information is defined by Appendix B to Part 364 of the FDIC Rules and Regulations as a customer’s social security number, personal identification number, password, or account number, in conjunction with a personal identifier such as the customer’s name, address, or telephone number. Such information would also include any combination of components of customer information that would allow someone to log onto or access another person’s account, such as a user name and password.

Footnote 3:  Codified to 12 U.S.C. 1867. Section 7(c) of the BSCA requires FDIC-insured financial institutions to notify the appropriate federal regulator of the existence of a third-party relationship within 30 days after contracting with, or the performance of the service by, the third party, whichever occurs first.

Footnote 4:  IDCs are defined by the FDIC as TSPs that are not owned or controlled by, or otherwise affiliated with, a financial institution.

Footnote 5:  In addition to the FDIC, the FFIEC includes the Federal Reserve Board, National Credit Union Administration, Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS).

Footnote 6:  Representative IT examiners from the five FFIEC member agencies comprise this subcommittee.

Footnote 7:  See Appendix II for a summary of laws, regulations, and guidance pertaining to data security at FDIC-insured institutions and related privacy requirements.

Footnote 8:  Part 364 of the FDIC Rules and Regulations discusses financial institution oversight of service provider relationships, including monitoring audits and other reviews of TSPs. This oversight is intended to help ensure that institutions and their service providers are meeting the Interagency Guidelines Establishing Information Security Standards, which require an appropriate information security program to be in place to protect customer information.

Footnote 9:  In an article in the (summer 2005) FDIC Supervisory Insights, the FDIC noted the benefits of the review and analysis of public information in developing the Corporation’s supervisory response to potential risks at TSPs.

Footnote 10:  A “platform” describes some sort of framework, either in hardware or software, that allows software to run. Typical platforms include a computer's architecture, operating system, or programming languages and their runtime libraries.

Footnote 11:  The Banking Information Tracking System was previously used by DSC to track financial institution information.

Footnote 12:  Of these 28 TSPs, 19 were listed in the SFRO TSP examination plan for 2004-2005. The FDIC was the AIC for 7 of the 19 TSPs, another agency was the AIC for 6 TSPs, and joint examinations were conducted on 6 TSPs designated as MDPSs. For those seven TSPs for which the FDIC was the AIC, six TSPs (86 percent) had a completed EPRS. For the one TSP that had an incomplete EPRS, a note attached to the form indicated that no ranking sheet was needed. However, no further explanation was provided, even though this TSP continues to be examined.