Logo: Independent Community Bankers of America - ICBA The Nation's Voice for Community Banks (R)

Graphic: Arrow Forgot password?
Graphic: Arrow Request Login
Contact ICBA Site Map Search ICBA
ArrowICBA Home

Members Only = Access Restricted
Last update: 10/02/14

FFIEC Issues Guidance for Outsourcing Relationships

WWR Article - December 22, 2000

The Federal Financial Institutions Examination Council (FFIEC) recently issued the first comprehensive regulatory guidance regarding outsourced technology services. "Risk Management of Outsourced Technology Services" is designed to assist banks in searching for and contracting with technology service providers.

Technology services include core processing, information and transaction processing related to banking functions, Internet related services, security monitoring, systems development and maintenance, aggregation services, electronic authentication services, and call centers.

The guidance emphasizes that a bank's board of directors and senior management are responsible for understanding and effectively managing the risks associated with outsourced technology services. Banks should apply the guidance based on the scope and importance of the outsourced services as well as the risk to the institution from the services.

According to the guidance, the risk management process should include:

  • a risk assessment to identify the institution's needs and requirements and to determine whether the out-sourcing arrangement will support these requirements;

  • proper due diligence to determine a service provider's ability, both operationally and financially, to meet the institution's needs;

  • written contracts that clearly define duties, obligations and responsibilities of the parties involved, including assurances for performance, reliability, security, confidentiality and reporting; and

  • ongoing oversight of outsourced technology services.

The guidance further emphasizes that additional risk-management controls should be implemented when outsourced services involve the use of the Internet. Due to the Internet's broad geographic reach, ease of access and anonymity, banks are urged to pay close attention to outsourcers' ability to maintain secure systems, detect intrusion, authenticate customers and develop reporting systems.

The guidance also contains an appendix with additional information on each component of the risk management process. A copy of the guidance can be obtained from the FFIEC Web site at www.ffiec.gov/pr112800_guidance.doc.

ArrowsPrintable version

Button: Share

All contents copyright 2014 Independent Community Bankers of America. All rights reserved.
Privacy Statement | Legal Notice