Outsourcing Technology Services Booklet

Summary: This new Booklet supplements the November 2000 issuance, "Risk Management of Outsourced Technology Services," and is one of a series of 12 IT Handbook Booklets that are being issued as revisions to the 1996 Information Systems Handbook. It discusses how institutions should manage outsourced information technology relationships, from an initial risk assessment through on-going monitoring. It also includes discussions on special topics, such as business continuity, information security, multiple service provider relationships and outsourcing to foreign service providers. FFIEC Handbooks can be viewed or downloaded from: FFEIC IT Handbook InfoBase

Guidance on the Risk Management of Outsourced Technology Services

Summary: The guidance outlines the processes banks should use to manage the risks associated with outsourcing technology services and discusses four key elements of such processes—risk assessment, selection of service providers, contract reviews and monitoring the service provider relationship. This guidance contains many of the same sound practices and recommendations set forth in SR Letter 00-04, "Outsourcing of Information and Transaction Processing," which was issued by the Federal Reserve on February 29, 2000.

Outsourcing of Information and Transaction Processing

Summary: This SR letter reiterates and clarifies the Federal Reserve's expectations regarding the management of outsourced information and transaction processing activities by banking organizations, either to affiliated institutions or third-party service providers. Operations addressed under this supervisory letter include the origination, processing, and settlement of payments and financial transactions, information processing related to customer account creation and maintenance, as well as other information and transaction processing activities that support critical banking functions, such as lending, deposit-taking, fiduciary, or trading activities. The scope of SR 00-04 is broader than that of SR 00-17. For example, it contains a section, "International Considerations," that discusses, among other topics, supervisory access to information regarding the outsourced activity ("...the Federal Reserve expects that these arrangements will be established in a manner that does not diminish the ability of U.S. supervisors to review effectively the domestic or foreign operations of U.S. banking organizations and the U.S. operations of foreign banking organizations").

Risk Management Guidance for Banks that Use Foreign-Based Third-Party Service Providers (MS word)
2 pages / 30 kb

Summary: This bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank’s operations.

Third Party Relationships: Risk Management Principles (MS word)
17 pages / 91 kb

Summary: This bulletin provides guidance to national banks on managing the risks that may arise from their business relationships with third parties. It supplements, but does not replace, previous guidance on third-party risk. The principles presented are largely derived and adapted from supervisory principles that the OCC or the federal banking agencies have already issued. A bank’s use of third parties to achieve its strategic goals does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. Many third-party relationships should be subject to the same risk management, security, privacy, and other consumer protection policies that would be expected if a national bank were conducting the activities directly.

Third Party Arrangements
23 pages / 152 kb

Summary: This document provides guidance on third party arrangements, whether they occur between affiliated or unaffiliated entities. The bulletin informs institutions that the OTS expects directors and management to effectively manage risks that arise from all types of third party arrangements. It also notifies thrifts that OTS examiners will review internal controls and management of third party arrangements during the course of regularly recurring safety and soundness examinations, and will request appropriate corrective action, when needed, to ensure that the arrangements satisfy safety and soundness standards.

Effective Practices for Selecting a Service Provider

Summary: This document is intended to serve as a resource for banks in addressing specific challenges relating to selecting an information technology service provider. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.

Techniques for Managing Multiple Service Providers

Summary: This document is intended to serve as a resource for banks in addressing specific challenges relating to managing multiple information technology outsourcing arrangements. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.

Tools to Manage Technology Provider's Performance Risk: Service Level Agreements

Summary: As community banks outsource more of their mission critical applications, properly managing the relationships between financial institutions and technology service providers becomes increasingly important. This brochure discusses the Service Level Agreement (SLA) as an effective tool for managing the risks associated with technology outsourcing and describes practices for measuring and monitoring service providers’ performance.

Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks
24 pages / 109 kb

Summary: This paper summarizes industry practices to manage and mitigate the applicable risks. It reviews outsourcing, or the use of third-party service providers, as a business strategy that is being considered more frequently by financial institutions as they respond to an increasingly competitive marketplace. This paper laid the groundwork for subsequent supervisory guidance issued by the Federal Reserve and other banking agencies.

Cross-Border Outsourcing and Risk Management for Banks
10 pages / 104 kb

Summary: This article outlines the risk management challenges banks face when information technology and business processes are outsourced to offshore locations.

Management and Supervision of Cross-Border Electronic Banking Activities
21 pages / 97 kb

Summary: The purpose of this paper is to identify banks' risk management roles and responsibilities with respect to cross-border E-Banking. Additionally, the paper focuses on the need for effective home country supervision of cross border activities as well as continued international cooperation between banking supervisors regarding such activities.

The 2003 BITS Framework for Managing Technology Risk for Information Technology (IT) Service Provider Relationships
125 pages / 622 kb

Summary: This 124-page paper provides a comprehensive "Framework" for developing and managing outsourced relationships. It consists of 9 sections that address topics such as the business decision to outsource IT services (Section 2), due diligence considerations (Section 4), contractual, service level and insurance considerations (Section 5) and considerations for cross-border outsourcing (Section 9). Its 7 appendices include a mapping of the BITS Framework to Federal banking agency guidelines (Appendix 2) and a Disaster Recovery/ Business Continuity Matrix (Appendix 5).

BITS Service Provider Expectations Matrix: Review of Audit and Assessment Methodologies for Financial Institutions (MS word)
51 pages / 518 kb

Summary: The document notes that many service providers supply receiver companies with security assessments or audit reports to help the receiver company understand the appropriateness of the service provider's controls. However, receiver companies often perform their own due diligence and review processes to fill gaps in their assessment requirements, and service providers often receive additional, and sometimes inconsistent, demands for information about their operations from multiple receiver companies. The purpose of this matrix is to provide financial institutions, service providers, and audit and assessment organizations with a comprehensive set of expectations to reduce risk, facilitate compliance with regulatory requirements and eliminate gaps in the audit or assessment process.