This regular feature focuses on developments that affect the bank examination function. We welcome ideas for future columns, and readers can e-mail suggestions to supervisoryjournal@fdic.gov.
An increasing number of insured institutions are outsourcing software development and maintenance, data processing, and other information technology (IT) services to technology service providers (TSPs); in many cases, these outsourced services are critical to bank and thrift daily operations. Key components of the payments system, including credit card services and automated teller machine (ATM) networks, also are operated and managed by TSPs. Because of the vital role of TSPs in the safe and sound operation of many insured depository institutions, the Federal Financial Institutions Examination Council (FFIEC) has established a process for examining these companies.
This risk-focused examination process considers all available supervisory information in the development of a TSP's risk profile. However, the results of a project conducted by the FDIC suggest that the identification and evaluation of publicly available information sources would benefit the examination planning process. This article provides an overview of the potential risks TSPs pose to insured institutions, describes the current examination approach to reviewing TSPs' services, and offers a framework for incorporating publicly available information into the examination process.
Assessing the Risk Profile of Third Party TSPs
During the past several years, major TSP firms have grown significantly, relying on acquisitions to expand business and product lines and add new ones, with some firms now serving about 2,000 institutions.1 Aggressive acquisition strategies, while promoting economies of scale, also may pose downside risks for individual TSPs and their clients. For example, a flawed acquisition strategy may weaken the financial condition of the acquirer, or a poorly planned integration could heighten operational or security risk. In addition, the level of concentration risk to bank clients may increase as individual TSPs expand through mergers and acquisitions. Any financial or operational problem these larger firms experience undoubtedly would affect a greater number of clients. Furthermore, the degree of disruption to a single client bank's operations could worsen dramatically, depending on the seriousness of the issues facing the TSP.
Services conducted by TSPs for their bank clients fall within the purview of bank examiners. The Bank Service Company Act grants Federal financial regulators the statutory authority to supervise the activities and records of a bank or thrift—regardless of whether the institution or a third party performs the activities.2 Bank supervisors recognize the potential risks posed by TSPs to the banking industry and have developed and implemented appropriate examination policies and procedures.
The National Examination Program
The FFIEC's national examination program (NEP) examines multi-regional data processing servicers (MDPS) and conducts shared application software reviews (SASR). A TSP is considered for the MDPS program if it processes critical applications, such as general ledger or loan and deposit systems, for a large number of financial institutions with multiple regulators or geographically dispersed data centers. The SASR program uses interagency resources to review major stand-alone and turnkey software packages that involve critical applications used by a significant number of financial institutions.3 The NEP is based on the concept of ongoing, risk-based supervision. This program identifies those TSPs that warrant examination and develops a supervisory strategy for each company that reflects the level and direction of key risk areas.
As part of the FFIEC's examination program, data about the operations of a TSP are captured on an "Examination Priority Ranking Sheet." The FFIEC uses this information to determine supervisory priorities based on the TSP's business line risks, client base, and the adequacy of internal controls and risk management practices.4 This ranking sheet provides a framework for examiners to use in assessing the following risk categories: number of clients, previous examination's Uniform Rating System for Information Technology (URSIT) rating, adequacy of oversight of audit reporting provided by client banks, reliability of the technology used by the TSP, and any previously reported problems (see Table 1).5
| TSP Risk Categories Worksheet | |||||||
|---|---|---|---|---|---|---|---|
| TSP Risk Category | |||||||
| Factor | Higher Risk: | Average Risk: | Lower Risk: | NA* | |||
| 1 | Large client base (250 or more supervised financial institutions, or based on other measures, e.g., aggregate client assets affected, transaction volume). | Moderate-sized client base (at least 25 but not more than 249 supervised financial institutions, or based on other measures, e.g., aggregate assets affected, transaction volume). | Small client base (less than 25 supervised financial institutions, or based on other measures, e.g., aggregate client assets affected, transaction volume). |  |
|||
| 2 | Company rated URSIT 3, 4, or 5 at last examination. | Company rated URSIT 2 at last examination. | Company rated URSIT 1 at last examination. | |
|||
| 3 | Client institutions do not provide effective oversight; SAS 70 reports and other audit reviews are not comprehensive. | Client institutions provide limited oversight; SAS 70 reports and audits cover most areas. | Client institutions provide effective oversight; SAS 70 reports and other audit reviews are comprehensive. | |
|||
| 4 | Company is using new or untested technology or products. Company is undergoing significant organizational change. | Company is using stable technology and products but implements significant upgrades. Company has minimal organizational changes. | Company is using stable technology and products. Company has stable organizational structure. | |
|||
| 5 | Client institutions or their examiners have reported problems or concerns that require supervisory follow-up. | Client institutions or their examiners have reported minimal problems or concerns that require supervisory follow-up. | Client institutions or their examiners have reported no problems or concerns that require supervisory follow-up. | |
|||
| *If NA briefly explain in comment section below | |||||||
Based on the information collected on this worksheet as well as from other supervisory activities and third party reports, such as external audits, examiners develop an initial TSP risk profile and assign a risk ranking (Higher, Average, or Lower) for each category. These rankings then translate into an examination priority rating of A, B, or C that determines the frequency and scope of on-site examinations and off-site monitoring; the relationships of the risk rankings to the examination priority ratings are shown in Table 2.
| Examination Priority Rating Matrix | |||
|---|---|---|---|
| Agency-in-Charge Recommended Examination Priority: | A _________ B _________ C _________ NA* _________ | ||
| Business Line Risk Higher |
Business Line Risk Average |
Business Line Risk Lower |
|
| Service Provider Risk Higher |
Examination Priority A |
Examination Priority A |
Examination Priority B |
| Service Provider Risk Average |
Examination Priority A |
Examination Priority B |
Examination Priority C |
| Service Provider Risk Lower |
Examination Priority B |
Examination Priority C |
Examination Priority C |
| *Not Applicable ranking refers to a service provider not warranting interagency examination—not all service providers must be ranked A, B, or C. | |||
Overall, this approach has served examiners well as they plan and scope examinations of TSPs. However, supplementing these programs with research from publicly available sources may enhance examiners' understanding of TSP risk profiles.
The Value of Information from Public Sources
Insight into the financial condition, reputation, and strategic focus of large, publicly traded companies, including TSPs, can be gleaned from an analysis of publicly available information, such as financial statements and Securities and Exchange Commission (SEC) filings, securities analyst and debt rating agency reports, news reports and press releases, consulting firm reports, and company websites.
Large TSPs often have ancillary business lines, and examiners may want to know whether any problems in these other business lines are weakening the parent company's financial health or diverting management's attention. Evaluating the TSP's contribution to parent company revenues and earnings can provide insight into the TSP's strategic importance.
Supervisory (nonpublic) information, such as risk assessments and auditor findings, reviewed before an examination may provide details about a TSP's risk profile that are not available from public information sources. A review of recent examination findings may help an examiner focus his or her efforts, such as in the case of a TSP that had been criticized for lax security procedures. However, supervisory information alone may not provide a comprehensive picture of the TSP's operations and strategic direction. For example, when examination findings are supplemented with publicly available information about a TSP's recent acquisitions, supervisory concerns may arise about the acquirer's ability to integrate disparate systems and corporate cultures or the potential for management's attention to be diverted from maintaining the highest levels of security.
A review of public information can broaden an examiner's understanding of the financial condition and operational issues facing a TSP, particularly when the TSP is engaged in business lines outside traditional banking services. For example, the examination may conclude that all of the TSP's bank services lines are well managed and financially viable; yet information gleaned from publicly available sources, such as analysis of acquisitions and divestitures, may show that the bank services line is no longer a strategic priority for the firm, suggesting a potential change in company focus, capital investment, or other factors affecting the company's risk profile. Overall, the analysis of public information, along with a review of examination findings, should strengthen examiners' evaluation of the level and direction of operational or concentration risk facing a TSP's clients.
A Framework for Strengthening the Review of TSPs
The benefits of considering supervisory and publicly available information about a TSP's operations were reinforced through the efforts of a team of technology specialists, financial analysts, and economists at the FDIC. Significant publicly available data about nine of the largest TSPs that provide IT services to banks were gathered, analyzed, and supplemented with data gathered through examinations. As a result of this project, additional off-site analytical tools have been identified that will help examiners assess risks specific to these third-party providers. Going forward, the results of this program suggest that monitoring of public sector data and information about major TSPs by analysts and examiners, using the framework developed through this project, will benefit examiners' understanding of the risk profiles of large TSPs.
Table 3 lists public information sources and search tools that can be used to "mine" these sources. Subscription fees may be required, and examiners may find some or all of these sources available through agency-held licenses.
| Sources of Public Information on TSPs | |||||
|---|---|---|---|---|---|
Financial Data for Publicly Traded Companies
|
|||||
Financial Analysis on Publicly Traded Companies
|
|||||
| Press Reports—may be obtained through online searches of databases available through Factiva, American Banker, ProQuest, Business Source Elite, Lexis/Nexis, and Google. The Stanford Law School Class Action Clearinghouse provides information on class action lawsuits. | |||||
| Company Websites—often feature annual reports and press releases that provide information on acquisitions or changes in corporate structure, current management, location of headquarters and major facilities, product lines, how a company fits into the larger industry, and the results of any analyst conference calls. | |||||
| IT Consulting Firm Reports—reports issued by firms such as Gartner, TowerGroup, Forrester, and Celent that provide information about the current business environment and IT product quality. | |||||
An analysis of these information sources can help examiners assess a TSP's financial condition, corporate profile, and any pertinent regulatory and legal issues more completely and should address the following areas:
- Financial analysis focused on revenue growth, revenue growth compared with that of other companies in the industry, income during the past three to seven years, long-term debt ratings, the relationship between long-term debt and shareholders' equity, and profitability.
- A corporate profile of the TSP developed by identifying its business lines and products, supplemental or complementary lines of business, managerial experience related to business lines, areas of financial strength, how recent acquisitions or divestitures relate to the business plan, description of key risk areas, and reputation in the marketplace. Examiners can refer to regulatory filings, analyst reports, the financial press, and company-specific information to develop this profile.
- A review of legal or regulatory actions may identify those that could affect key product lines, the TSP's business viability, or the TSP's banking clients. For example, recent court rulings relating to the major credit card consortia may introduce new competition that could drive down processing fees and hurt earnings. A TSP's inability to meet the internal control deadlines imposed by the Gramm-Leach-Bliley Act could require additional attention during the examination process.
- An analysis of stock buying and selling patterns may provide insight into informed insider or institutional investor opinion about a TSP's financial stability. A review of incidences of insider trading (as reported to the SEC), average short interest, and trends and dramatic changes in stock prices is useful.
Going Forward...
Review and analysis of public information sources can provide insight into a TSP's strategic direction. Is it likely to be an acquirer or an acquisition target? Types of acquisitions may indicate potential risks or diversification plans. Is any negative press emerging about a particular technology used by a TSP? Combining supervisory information with carefully mined public information will improve the development and maintenance of accurate and meaningful risk profiles. This approach to evaluating TSPs expands the information and data sources available to on-site IT examiners during the pre-examination planning process and strengthens the supervisory response to potential risks posed by these companies.
Douglas W. Akers
Research Assistant,
Division of Insurance and Research
Jay W. Golter
Financial Analyst,
Division of Insurance and Research
Brian D. Lamm
Senior Financial Analyst,
Division of Insurance and Research
Martha Solt
Senior Economist,
Division of Insurance and Research
Kathryn M. Weatherby
Examination Specialist,
Division of Supervision and Consumer Protection
1 FDIC and FFIEC confidential databases. Many banks contract with multiple TSPs.
2 Bank Service Company Act (12 U.S.C. 1867).
3 Federal Financial Institutions Examination Council, Information Technology Examination Handbook, "Supervision of Technology Service Providers," March 2003, pp. 15-22.
4 Ibid, B-1-3.
5 The FFIEC agencies use URSIT to assess and rate IT-related risks of financial institutions and TSPs. The primary purpose of the rating system is to identify those entities whose condition or performance of information technology functions requires special supervisory attention. See Federal Financial Institutions Examination Council, Information Technology Examination Handbook, "Supervision of Technology Service Providers," March 2003, pp. 5-6.
6 Ibid, B-2.
7 Ibid, B-2.