Managing Service Provider Relationships and Risks: Questions Concerning Federal Reserve Guidance on Managing Outsourcing Risk
by Roger Pittman, Director of Examinations, Supervision and Regulation, Federal Reserve Bank of Atlanta
The Board of Governors of the Federal Reserve System issued supervisory guidance on managing outsourcing risk on December 5, 2013.1 This article covers some of community bankers’ most frequently asked questions regarding the guidance as well as the supervisory process for reviewing a bank’s outsourcing arrangements.
Was there existing guidance on this topic? Why did the Federal Reserve see a need to issue this guidance?
In 2004, the Federal Financial Institutions Examination Council (FFIEC) issued the booklet “Outsourcing Technology Services” as part of its Information Technology Examination Handbook,2 and the Federal Reserve’s 2013 guidance expands upon this existing guidance. The Federal Reserve’s guidance places particular emphasis on the importance of sound risk management practices for all outsourcing relationships (i.e., not just technology services).
What is the difference between vendors, third-party suppliers, contractors, and service providers?
Terms such as vendor, third-party supplier, contractor, and service provider can be used to signify a specific type of product, service, or activity that is provided by a third-party affiliate or nonaffiliated entity to a financial institution. Although these terms are sometimes used interchangeably, the guidance uses service provider because it is relatively all-encompassing and focuses on relationships in which business functions or activities are provided to financial institutions. The guidance also defines a service provider as an entity that may be a bank or a nonbank, affiliated or nonaffiliated, regulated or nonregulated, and domestic or foreign.
Which financial institutions are subject to the Federal Reserve’s guidance?
The Federal Reserve’s guidance applies to all state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations. The Office of the Comptroller of the Currency (OCC)3 and the Federal Deposit Insurance Corporation (FDIC)4 have issued similar guidance for institutions that they supervise.
If a community bank has already implemented risk management practices for outsourcing arrangements to its non–information technology relationships, can the institution assume that it is in compliance with the guidance?
A financial institution’s program may be very close to meeting the 2013 guidance if the current program covers all outsourcing arrangements,5 but it should be reviewed for any existing gaps. Just like the FFIEC’s guidance on outsourcing of information technology, the Federal Reserve’s guidance addresses the core elements of a service provider risk management program as generally including risk assessments, due diligence and selection of service providers, contract provisions, oversight and monitoring, business continuity and contingency plans, and foreign-based service providers. However, the guidance has been updated to include new considerations such as incentive compensation, suspicious activity report filing, internal audit, and model risk management activities.
How frequently should risk assessments be conducted?
A financial institution should consider the criticality of the service and the level of risk when determining the frequency of conducting risk assessments of outsourced business functions or activities. Services with higher levels of risk or greater criticality should be subject to more frequent risk assessment and may also warrant certain types of ongoing monitoring. Risks may also need to be reassessed if the relationship between the service provider and the institution changes.
Are service providers examined, and can banks receive a copy of the reports?
Not all service providers are examined, but internal controls can be assessed by reviewing audits or reports such as the American Institute of Certified Public Accountants’ Service Organization Control 2 Report.6 Technology service providers (TSPs) are examined jointly by the Federal Reserve, the FDIC, and the OCC (collectively referred to as the agencies). Information technology–related examinations of TSPs are conducted according to the guidelines contained in the “Supervision of Technology Service Providers” booklet, which is part of the FFIEC Information Technology Examination Handbook.7
While conducting supervisory activities, examiners obtain lists of regulated financial institutions that are serviced by TSPs. The lists of customers are used to identify and validate regulated financial institutions that are entitled to copies of the reports. The agencies then distribute the reports to serviced financial institutions, either automatically or upon request. A financial institution may request a copy of the examination report from the institution’s primary federal regulator. However, only institutions that have a valid and current contract with the TSP as of the date of the examination will receive the report. The TSP examination reports remain the joint property of the agencies and are provided to financial institutions for their internal and confidential use.
How should a community bank implement the guidance? What should be completed before the examination?
A community bank should begin by completing a gap analysis to identify whether its current program needs to be adjusted to meet supervisory expectations. An implementation plan should then be developed to address any identified gaps. The plan should include activities, timelines for completion, a list of responsible parties, and status reporting requirements.
Examiners will review the gap analysis and the implementation plan during the initial examination and assess whether they are appropriate for the community bank. During subsequent reviews, examiners will assess progress in executing the implementation plan and identify any issues.
What if bankers have additional questions?
The Federal Reserve held two Ask the Fed sessions, on March 5 and 21, 2014, where bankers were able to ask questions concerning the guidance. Bankers can listen to archives of these presentations since all Ask the Fed sessions are recorded and can be accessed online by financial institutions. Visit www.askthefed.org to sign up to view the presentation and hear the sessions. Bankers may also direct questions to bank supervision staff at their local Reserve Banks.
Back to top
- 1 See Supervision and Regulation (SR) letter 13-19/Consumer Affairs (CA) letter 13-21, “Guidance on Managing Outsourcing Risk,” available at www.federalreserve.gov/bankinforeg/srletters/sr1319.htm.
- 2 The booklet is available on the FFIEC website at ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx .
- 3 See OCC Bulletin 2013-29, “Third-Party Relationships,” available at www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.
- 4 See FDIC Financial Institution Letter FIL-44-2008, “Guidance for Managing Third-Party Risk,” available at www.fdic.gov/news/news/financial/2008/fil08044.pdf.
- 5 While the guidance applies to all outsourcing arrangements, as a practical matter, a financial institution’s service provider risk management program should focus attention on outsourced activities that have a substantial impact on the institution’s financial condition, are critical to the institution’s ongoing operations, involve sensitive customer information or new bank products or services, or pose material compliance risk.
- 6 See the AICPA’s “Illustrative Type 2 SOC 2SM Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM),” available at http://ow.ly/COTOJ.
- 7 The handbook is available on the FFIEC website at http://ow.ly/COTeU.