Outsourcing IT and Business Processes: A Supervisory Primer

Banking organizations' use of third-party service providers is not new. However, recent trends—such as an increase in the scope of IT outsourcing arrangements, the growth of business process outsourcing and the rise in cross-border arrangements—have generated increased focus on outsourcing.

This primer aims to bring together and summarize existing supervisory and recent industry publications related to outsourcing. It is organized as follows:

Guidance
Date
Title, Link and summary
Interagency Guidance
FFIEC1
IT Examination
Handbook

July 20, 2004
Outsourcing Technology Services Booklet

Summary: This new Booklet supplements the November 2000 issuance, "Risk Management of Outsourced Technology Services," and is one of a series of 12 IT Handbook Booklets that are being issued as revisions to the 1996 Information Systems Handbook. It discusses how institutions should manage outsourced information technology relationships, from an initial risk assessment through on-going monitoring. It also includes discussions on special topics, such as business continuity, information security, multiple service provider relationships and outsourcing to foreign service providers. FFIEC Handbooks can be viewed or downloaded from: FFEIC IT Handbook InfoBase

FFIEC announced via
Federal Reserve
Supervisory Letter SR 00-17

Nov 20, 2000
Guidance on the Risk Management of Outsourced Technology Services

Summary: The guidance outlines the processes banks should use to manage the risks associated with outsourcing technology services and discusses four key elements of such processes—risk assessment, selection of service providers, contract reviews and monitoring the service provider relationship. This guidance contains many of the same sound practices and recommendations set forth in SR Letter 00-04, "Outsourcing of Information and Transaction Processing," which was issued by the Federal Reserve on February 29, 2000.

Agency Guidance
Federal Reserve Supervisory Letter SR 00-04
Feb 29, 2000
Outsourcing of Information and Transaction Processing

Summary: This SR letter reiterates and clarifies the Federal Reserve's expectations regarding the management of outsourced information and transaction processing activities by banking organizations, either to affiliated institutions or third-party service providers. Operations addressed under this supervisory letter include the origination, processing, and settlement of payments and financial transactions, information processing related to customer account creation and maintenance, as well as other information and transaction processing activities that support critical banking functions, such as lending, deposit-taking, fiduciary, or trading activities. The scope of SR 00-04 is broader than that of SR 00-17. For example, it contains a section, "International Considerations," that discusses, among other topics, supervisory access to information regarding the outsourced activity ("...the Federal Reserve expects that these arrangements will be established in a manner that does not diminish the ability of U.S. supervisors to review effectively the domestic or foreign operations of U.S. banking organizations and the U.S. operations of foreign banking organizations").

OCC Bulletin 2002-16
May 15, 2002
Risk Management Guidance for Banks that Use Foreign-Based Third-Party Service Providers (MS word)
2 pages / 30 kb

Summary: This bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank’s operations.

OCC Bulletin 2001-47
Nov 1, 2001
Third Party Relationships: Risk Management Principles (MS word)
17 pages / 91 kb

Summary: This bulletin provides guidance to national banks on managing the risks that may arise from their business relationships with third parties. It supplements, but does not replace, previous guidance on third-party risk. The principles presented are largely derived and adapted from supervisory principles that the OCC or the federal banking agencies have already issued. A bank’s use of third parties to achieve its strategic goals does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. Many third-party relationships should be subject to the same risk management, security, privacy, and other consumer protection policies that would be expected if a national bank were conducting the activities directly.

OTS Thrift Bulletin TB-82
Mar 18, 2003
Third Party Arrangements
23 pages / 152 kb

Summary: This document provides guidance on third party arrangements, whether they occur between affiliated or unaffiliated entities. The bulletin informs institutions that the OTS expects directors and management to effectively manage risks that arise from all types of third party arrangements. It also notifies thrifts that OTS examiners will review internal controls and management of third party arrangements during the course of regularly recurring safety and soundness examinations, and will request appropriate corrective action, when needed, to ensure that the arrangements satisfy safety and soundness standards.

FDIC Financial Institution Letter 50-2001
Jun 4, 2001
Effective Practices for Selecting a Service Provider

Summary: This document is intended to serve as a resource for banks in addressing specific challenges relating to selecting an information technology service provider. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.

FDIC Financial Institution Letter 50-2001
Jun 4, 2001
Techniques for Managing Multiple Service Providers

Summary: This document is intended to serve as a resource for banks in addressing specific challenges relating to managing multiple information technology outsourcing arrangements. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.

FDIC Financial Institution Letter 50-2001
Jun 4, 2001
Tools to Manage Technology Provider's Performance Risk: Service Level Agreements

Summary: As community banks outsource more of their mission critical applications, properly managing the relationships between financial institutions and technology service providers becomes increasingly important. This brochure discusses the Service Level Agreement (SLA) as an effective tool for managing the risks associated with technology outsourcing and describes practices for measuring and monitoring service providers’ performance.

Agency White Papers
FRBNY White Paper
Sep 29, 1999
Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks
24 pages / 109 kb

Summary: This paper summarizes industry practices to manage and mitigate the applicable risks. It reviews outsourcing, or the use of third-party service providers, as a business strategy that is being considered more frequently by financial institutions as they respond to an increasingly competitive marketplace. This paper laid the groundwork for subsequent supervisory guidance issued by the Federal Reserve and other banking agencies.

OCC White Paper
Aug 13, 2003
Cross-Border Outsourcing and Risk Management for Banks
10 pages / 104 kb

Summary: This article outlines the risk management challenges banks face when information technology and business processes are outsourced to offshore locations.

BIS White Paper
Jul 1, 2003
Management and Supervision of Cross-Border Electronic Banking Activities
21 pages / 97 kb

Summary: The purpose of this paper is to identify banks' risk management roles and responsibilities with respect to cross-border E-Banking. Additionally, the paper focuses on the need for effective home country supervision of cross border activities as well as continued international cooperation between banking supervisors regarding such activities.

Industry Guidance
BITS2-Framework
Nov 10, 2003
The 2003 BITS Framework for Managing Technology Risk for Information Technology (IT) Service Provider Relationships
125 pages / 622 kb

Summary: This 124-page paper provides a comprehensive "Framework" for developing and managing outsourced relationships. It consists of 9 sections that address topics such as the business decision to outsource IT services (Section 2), due diligence considerations (Section 4), contractual, service level and insurance considerations (Section 5) and considerations for cross-border outsourcing (Section 9). Its 7 appendices include a mapping of the BITS Framework to Federal banking agency guidelines (Appendix 2) and a Disaster Recovery/ Business Continuity Matrix (Appendix 5).

BITS Expectations Matrix
Aug 1, 2003
BITS Service Provider Expectations Matrix: Review of Audit and Assessment Methodologies for Financial Institutions (MS word)
51 pages / 518 kb

Summary: The document notes that many service providers supply receiver companies with security assessments or audit reports to help the receiver company understand the appropriateness of the service provider's controls. However, receiver companies often perform their own due diligence and review processes to fill gaps in their assessment requirements, and service providers often receive additional, and sometimes inconsistent, demands for information about their operations from multiple receiver companies. The purpose of this matrix is to provide financial institutions, service providers, and audit and assessment organizations with a comprehensive set of expectations to reduce risk, facilitate compliance with regulatory requirements and eliminate gaps in the audit or assessment process.

1 The Federal Financial Institutions Examination Council, or FFIEC, is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial institutions.
2 BITS is a consortium that shares membership with the Financial Services Roundtable, which represents the interests of large integrated financial services companies operating in the U.S. Its membership, which is limited to approximately 100 firms, consists of representatives from the bank-based, insurance, securities and diversified industry sectors.

Top