Agree 100% with Andrew's comments, our process almost exactly mirrors what he outlines. We have a process to update ROE's from our banking regulator, the FDIC, annually. We track our vendors that are FFIEC TSP (Technology Service Provider) or SSP (Significant Service Provider). We submit a listing of new vendors that we think might also be TSP or SSP as part of our annual ROE request to capture any that are new. The volume of vendors that are TSP or SSP is pretty small so currently out of our 900+ vendor inventory, 6 are considered TSP or SSP.
We do have a process to follow-up on Tier 1 findings and required remediations. You definitely what to ensure that your process closes the loop and documents not only that you are requesting these reports but also that you are reviewing and taking necessary risk based action.
TSP examination report (technology service provider) or SSP (Significant Service Provider) examination report- regulatory agencies under FFIEC examine core banking technology or service providers of financial institutions every 24 months to every 48 months depending on risk profile. The SSP or TSP is not legally allowed to provide a copy of the ROE to anyone.
§ TSP ROE (Report of Examination) should be requested from you banking regulator annually.
§ Serviced financial institutions are able to obtain a copy of the open section of the TSP ROE (not eligible for the confidential section) as long as have a valid and current contract with the TSP as of the date of examination.
Good discussion on this topic!
Shelly
------------------------------
Shelly Chase
VP Operational Risk
------------------------------
Original Message:
Sent: 07-26-2023 09:09 AM
From: Andrew Jones
Subject: Examination reports
We give a listing of our critical service providers to the FDIC requesting the Report of Examination (ROE). The FDIC will ask to see the contracts and the date they were signed. This is so they can provide you with any Exam reports between now and the date they were signed.
The FDIC can send you these reports by email with a cover letter for you to sign. These reports are strictly confidential. The vendor cannot share them or neither can you. You may only share them with appropriate team members and the Business Line.
During your Examination, the FDIC will ask you about the reports you were given and if you followed up with the vendor and tracked their remediation efforts.
Original Message:
Sent: 7/26/2023 8:55:00 AM
From: Gene Fox
Subject: RE: Examination reports
Keep in mind, that I am answering from a banking perspective, and since the question included the FDIC, I assumed that the person was from the banking industry. With that said, I do agree that regulatory examinations are required to be confidential, I disagree on other audits and examinations - that is why there are NDAs and confidentiality clauses in the contracts. If there are risks that are identified through the exams/audits that could pose a risk to our Bank, we need to be, and are expected to be aware of them (as I said, both the FDIC and Texas stated as much during our call). Per the Interagency Guidelines issued in June: "It is also important to consider whether the third party's controls and operations are subject to effective audit assessments, including independent testing and objective reporting of results and findings. Banking organizations also gain important insight by evaluating the processes for escalating, remediating, and holding management accountable for concerns during audits, internal compliance reviews, and other independent tests, if available."
And in the Interagency Guidance for Contracting: "Therefore, it is appropriate to consider whether contract provisions describe the types and frequency of audit reports the banking organization is entitled to receive from the third party (for example, SOC Reports, Payment Card Industry (PCI) compliance reports, or other financial and operational reviews).
Also in the Interagency Guidance for Contracting: "It is also important for the contract to provide the banking organization with the right to monitor and be informed about third party's compliance with applicable laws and regulations, and to require remediation if issues arise."
Original Message:
Sent: 07-26-2023 08:35 AM
From: Katherine Coffield
Subject: Examination reports
We are a large financial organization and we never provide any audit/exam results or action plans as these are confidential. We refer the client to our Annual Report and SEC 10-K which are public. It should be a "red flag" if an organization supplies the keys to the kingdom because then the bad actors also have the same information concerning a companies weaknesses.
Original Message:
Sent: 07-26-2023 08:28 AM
From: Gene Fox
Subject: Examination reports
Funny, I just met with the FDIC and Texas State regulators - their expectation is that we do ask for audits, exams, results, issues, action plans, etc. - the third party may not provide it and if they do not, that is a red flag. They should at least provide a memo stating that they have been examined and that there were no significant issues or such. With regard to financial institution examinations, the FDIC stated that we should go to them for examinations of other financial institutions.
Original Message:
Sent: 07-25-2023 05:43 PM
From: Anonymous Member
Subject: Examination reports
This message was posted by a user wishing to remain anonymous
Hello,
These questions are for financial institutions:
Is it possible to request examination reports from our vendors?
Do we have to make these requests thru FDIC?
When do you consider requesting these reports? What type of vendors?
Are these reports timely and relevant to our due diligence?
Your inputs are greatly appreciated.