Supervision of Technology Service Providers

FFIEC IT Examination Handbook - TSP Supervision Booklet

Completion Progress0 / 17 Controls

Track your critical vendor oversight program

Overall Completion0%

TSP Identification & Classification

0 of 4 controls verified

Complete

Critical TSPs identified and documented in vendor inventory

High Risk

TSP criticality assessment based on systemic impact and customer reach

High Risk

Concentration risk analysis for shared TSP dependencies

High Risk

Annual review of TSP classification and criticality ratings

Medium Risk

TSP Oversight & Monitoring

0 of 5 controls verified

Complete

Enhanced due diligence for critical TSPs including financial reviews

High Risk

Independent audit reports (SOC, SSAE 18) reviewed annually

High Risk

TSP business continuity and disaster recovery capabilities validated

High Risk

TSP security incident notification and escalation procedures tested

High Risk

Quarterly TSP performance and risk reviews conducted

Medium Risk

Examination & Audit Rights

0 of 4 controls verified

Complete

Right-to-audit clauses in TSP contracts allowing regulator access

High Risk

TSP examination results shared with member institutions

High Risk

Internal audit reviews of TSP controls and reports

Medium Risk

Follow-up on TSP examination findings and remediation tracking

High Risk

Business Continuity & Contingency

0 of 4 controls verified

Complete

TSP failure contingency plans documented and tested

High Risk

Alternative TSP arrangements evaluated for critical services

High Risk

TSP transition procedures documented including data portability

Medium Risk

Communication protocols for TSP service disruptions established

High Risk

Examiner Expectations

Critical TSP Identification

Institutions must identify and track critical TSPs based on systemic impact, customer reach, and concentration risk. Enhanced oversight required for vendors serving multiple institutions.

Independent Audit Reviews

Annual review of TSP SOC reports, examination results, and security assessments. Document review findings and follow up on exceptions or deficiencies with remediation tracking.

Contingency Planning

Documented contingency plans for critical TSP failures including alternative arrangements, transition procedures, and communication protocols. Test contingency plans periodically.