The Federal Financial Institutions Examination Council (FFIEC) recently issued the first comprehensive regulatory guidance regarding outsourced technology services. "Risk Management of Outsourced Technology Services" is designed to assist banks in searching for and contracting with technology service providers.
Technology services include core processing, information and transaction processing related to banking functions, Internet related services, security monitoring, systems development and maintenance, aggregation services, electronic authentication services, and call centers.
The guidance emphasizes that a bank's board of directors and senior management are responsible for understanding and effectively managing the risks associated with outsourced technology services. Banks should apply the guidance based on the scope and importance of the outsourced services as well as the risk to the institution from the services.
According to the guidance, the risk management process should include:
The guidance further emphasizes that additional risk-management controls should be implemented when outsourced services involve the use of the Internet. Due to the Internet's broad geographic reach, ease of access and anonymity, banks are urged to pay close attention to outsourcers' ability to maintain secure systems, detect intrusion, authenticate customers and develop reporting systems.
The guidance also contains an appendix with additional information on each component of the risk management process. A copy of the guidance can be obtained from the FFIEC Web site at www.ffiec.gov/pr112800_guidance.doc.