Outsourcing Technology Services

The financial services industry has changed rapidly and dramatically. Advances in technology enable institutions to provide customers with an array of products, services, and delivery channels. One result of these changes is that financial institutions increasingly rely on external service providers for a variety of technology-related services. Generally, the term "outsourcing" is used to describe these types of arrangements.

The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) "Outsourcing Technology Services Booklet" (booklet) provides guidance and examination procedures to assist examiners and bankers in evaluating a financial institution's risk management processes to establish, manage, and monitor IT outsourcing relationships.

The ability to contract for technology services typically enables an institution to offer its customers enhanced services without the various expenses involved in owning the required technology or maintaining the human capital required to deploy and operate it. In many situations, outsourcing offers the institution a cost effective alternative to in-house capabilities. Outsourcing, however, does not reduce the fundamental risks associated with information technology or the business lines that use it. Risks such as loss of funds, loss of competitive advantage, damaged reputation, improper disclosure of information, and regulatory action remain. Because the functions are performed by an organization outside the financial institution, the risks may be realized in a different manner than if the functions were inside the financial institution resulting in the need for controls designed to monitor such risks.

Financial institutions can outsource many areas of operations, including all or part of any service, process, or system operation. Examples of information technology (IT) operations frequently outsourced by institutions and addressed in this booklet include: the origination, processing, and settlement of payments and financial transactions; information processing related to customer account creation and maintenance; as well as other information and transaction processing activities that support critical banking functions, such as loan processing, deposit processing, fiduciary and trading activities; security monitoring and testing; system development and maintenance; network operations; help desk operations; and call centers. The booklet addresses an institution's responsibility to manage the risks associated with these outsourced IT services.

Management may choose to outsource operations for various reasons. These include:

• Gain operational or financial efficiencies;
• Increase management focus on core business functions;
• Refocus limited internal resources on core functions;
• Obtain specialized expertise;
• Increase availability of services;
• Accelerate delivery of products or services through new delivery channels;
• Increase ability to acquire and support current technology and avoid obsolescence; and
• Conserve capital for other business ventures.

Outsourcing of technology-related services may improve quality, reduce costs, strengthen controls, and achieve any of the objectives listed previously. Ultimately, the decision to outsource should fit into the institution's overall strategic plan and corporate objectives.

Before considering the outsourcing of significant functions, an institution's directors and senior management should ensure such actions are consistent with their strategic plans and should evaluate proposals against well-developed acceptance criteria. The degree of oversight and review of outsourced activities will depend on the criticality of the service, process, or system to the institution's operation.

Financial institutions should have a comprehensive outsourcing risk management process to govern their technology service provider (TSP) relationships. The process should include risk assessment, selection of service providers, contract review, and monitoring of service providers. Outsourced relationships should be subject to the same risk management, security, privacy, and other policies that would be expected if the financial institution were conducting the activities in-house. This booklet primarily focuses on how the bank regulatory agencies review the risk management process employed by a financial institution when considering or executing an outsourcing relationship.

To help ensure financial institutions operate in a safe and sound manner, the services performed by TSPs are subject to regulation and examination.See 12 USC 1867 (c)(1) and 12 USC 1464 (d)(7). The NCUA does not currently have independent regulatory authority over TSPs. The federal financial regulators have the statutory authority to supervise all of the activities and records of the financial institution whether performed or maintained by the institution or by a third party on or off of the premises of the financial institution. Accordingly, the examination and supervision of a financial institution should not be hindered by a transfer of the institution's records to another organization or by having another organization carry out all or part of the financial institution's functions.S. Rep. No. 2105, 87-2105 at 3 (1962). reprinted in 1962 U.S.C.C.A.N. 3878, 3880. Accord H.R. Rep. No. 105-417, at 4 (1998), reprinted in 1998 U.S.C.C.A.N. 22. 23.

Many of the general principles on effective management of outsourcing relationships discussed in this booklet can and should be applied to managing the outsourcing of software development. Outsourcing of activities related to software development is addressed in the IT Handbook's, "Development and Acquisition Booklet."

This booklet rescinds and replaces Chapter 22 of the 1996 FFIEC Information Systems Examination Handbook, IS Servicing - Provider and Receiver.