District Circular Letters
March 21, 2000
BANKING SUPERVISION AND REGULATION:
OUTSOURCING OF INFORMATION
AND TRANSACTION PROCESSING
To State Member Banks,
Bank Holding Companies, U.S. Branches
and Agencies of Foreign Banks,
and Others Concerned,
in the Twelfth Federal Reserve District
Outsourcing of Information and Transaction Processing
The Federal Reserve is issuing the enclosed SR
00-4 (SUP) letter dealing with outsourcing of information and transaction
processing. Banking organizations are increasingly relying on services
provided by other entities to support a range of banking operations. Outsourcing
of information and transaction processing activities, either to affiliated
institutions or third-party service providers, may help banking organizations
manage data processing and related personnel costs, improve services,
and obtain expertise not available internally. At the same time, the reduced
operational control over outsource activities may expose an institution
to additional risks. The federal banking agencies have established procedures
to examine and evaluate the adequacy of institutions' controls over service
providers. This letter reiterates and clarifies the Federal Reserve's
expectations regarding the management of risks that may arise from the
outsourcing of critical information and transaction processing activities
by a banking organization.
Outsourcing Risks
Outsourcing of information and transaction processing involves similar
operational risks that arise when these functions are performed internally,
such as threats to the availability of systems used to support customer
transactions, the integrity or security of customer account information,
or the integrity of risk management information systems. Under outsourcing
arrangements, however, the risk management measures commonly used to address
these risks, such as internal controls and procedures, are generally under
the direct operational control of the service provider, rather than the
serviced institution that would bear the associated risk of financial
loss, damage to the institution's reputation, or other adverse consequences.
Some outsourcing arrangements also involve direct financial risks to
the serviced institution. For example, for some transaction processing
activities, a service provider has the ability to process transactions
that result in extensions of credit on behalf of the serviced institution.
A service provider may also collect or disburse funds, exposing the institution
to liquidity and credit risks should the service provider fail to perform
as expected.
Risk Management
The Federal Reserve expects institutions to ensure that controls over
outsourced information and transaction processing activities are equivalent
to those that would be implemented if the activity were conducted internally.
The institution's board of directors and senior management should understand
the key risks associated with the use of service providers for its critical
operations, commensurate with the scope and risks of the outsourced activity
and its importance to the institution's business. They should ensure that
an appropriate oversight program is in place to monitor each service provider's
controls, condition, and performance. Terms and conditions should be assessed
by the institution to ensure that they are appropriate for the particular
service being provided and result in an acceptable level of risk to the
institution. Contracts for outsourcing of critical functions should be
reviewed by the institution's legal counsel.
International Considerations
In general, arrangements for outsourcing of critical information or
transaction processing functions to service providers located outside
the United States should be conducted according to the same risk management
guidelines as with domestic service providers. In addition, the Federal
Reserve expects that these arrangements will be established in a manner
that does not diminish the ability of U.S. supervisors to review effectively
the domestic or foreign operations of U.S. banking organizations and the
U.S. operations of foreign banking organizations.
Examination Implementation
In the development of the examination scope and risk profile, examiners
should determine which information and transaction processing activities
critical to the institution's core operations are outsourced. During the
on-site examination, the adequacy of the institution's risk management
for these critical service providers should be assessed and evaluated.
The overall assessment should be reflected in the relevant components
of the Uniform Information Technology Rating System examination rating,
or the Uniform Financial Institution Rating System, if an information
systems rating is not assigned.
Lastly, this notice is intended to remind banking organizations of the
reporting requirements of the Bank Service Corporation Act of 1962, as
amended (12 USC 1861, et seq.). When a banking corporation contracts for
outside services, Section 7 © (2) of the Act requires the contracting
institution to notify the appropriate federal banking agency within 30
days after (1) the making of the service contract or (2) the performance
of the service, whichever comes first. Please forward any such notification
to:
Patrick Weiss
Senior Manager, Applications & Enforcement
Banking Supervision and Regulation
Federal Reserve Bank of San Francisco
101 Market Street
San Francisco, CA 94105
For Additional Information
SR
00-4 (SUP) is also available on the Federal Reserve's Internet site,
at http://www.federalreserve.gov.
For additional information regarding outsourcing of information and transaction
processing, please contact our Banking Supervision and Regulation Department,
at (415) 974-2927.
Enclosure
SR 00-4(SUP)
FEDERAL RESERVE BANK OF SAN FRANCISCO
|
