FRBSF Economic Letter
2004-34 | November 26, 2004
Outsourcing by Financial Services Firms: The Supervisory Response
In the financial services industry, outsourcing has been in use for quite some time. For example, since the 1970s, financial institutions have used outside firms for such clerical activities as printing customer financial statements and storing records.
- Why outsourcing?
- Risks associated with outsourcing
- International supervisory principles
- Supervisory practices in the U.S.
In the financial services industry, outsourcing has been in use for quite some time. For example, since the 1970s, financial institutions have used outside firms for such clerical activities as printing customer financial statements and storing records. As information technologies (IT) evolved during the 1980s and 1990s, financial services firms began to outsource a great variety of IT activities as a means of lowering their costs and gaining faster access to up-to-date technology. For example, purchasing software for producing internal reports and customer statements from a specialized vendor often provides significant cost savings and greater flexibility over developing and maintaining that software in-house. Current forecasts suggest that this trend toward outsourcing is likely to continue into the near future.
Although outsourcing presents all firms with important challenges, financial services firms face two special issues. One issue involves concerns about maintaining the privacy of customers’ financial information; the other involves concerns associated with the relatively high degree of government regulation that these firms face. The latter issue has led to important developments in the government supervision of financial services firms, particularly depository institutions (that is, banks, thrifts, and credit unions).
This Economic Letter reviews both the supervisory concerns and the practices that have arisen in response to the expansion of outsourcing by financial services firms. Government supervisors have adopted general guidelines regarding how the inherent risks should be identified and mitigated. For the U.S. banking industry in particular, supervisors have established explicit procedures for monitoring the outsourcing activities of depository institutions to technology service providers.
Firms may choose to outsource certain activities for various reasons. For example, an outside vendor might provide operational efficiencies and associated cost savings that the firm could not achieve on its own. The firm’s management could also decide to concentrate on core business functions and hence reallocate its limited internal resources, both in terms of human and economic capital, away from non-core activities. Outsourcing might also be used to develop and provide new customer services more quickly and reliably than is possible with just internal resources.
Financial services firms provide a wide array of services to consumers and businesses, but are generally characterized as securities firms, insurance firms, and banking firms (or as depository institutions, more narrowly). While quite distinct in actual practice, these firms have several common features that might predispose them toward using a reasonably large degree of outsourcing. Specifically, in the course of their businesses, they handle large volumes of information, in both paper and electronic form, and they typically provide customers with a wide variety of related, yet distinct, services; for example, banks provide checking accounts as well as other payments services in conjunction with access to many alternative savings vehicles. The sheer volume and breadth of these activities present compelling reasons for outsourcing, particularly to technology service providers (TSPs) that have developed expertise in specific business applications.
While outsourcing can enhance the ability of a financial services firm to offer its customers enhanced services without the various expenses involved with owning the required technology and human capital to operate it, the fundamental business risks associated with providing these services typically are not reduced. Indeed, although outsourcing can reduce certain other risks, it also introduces new challenges and risks. For example, failure to choose a qualified and compatible service provider, and to structure an appropriate outsourcing relationship, may lead to ongoing operational problems or even a severe business disruption.
The risks that attend outsourcing are too numerous to discuss individually, but in broad terms they tend to fall into three general categories: operational, reputational, and legal risks (see Federal Reserve Bank of New York 1999). Operational risk has been defined as the risk of monetary losses resulting from inadequate or failed internal processes, people, and systems or from external events (see Lopez 2002 for further discussion). Note that operational risk is quite broadly defined and could be seen as encompassing reputational and legal risks as well. While operational risk exists whether or not a firm outsources certain business activities, the transfer of managerial responsibility, but not accountability, via an outsourcing agreement to a third-party service provider introduces new concerns that the firm might not be aware of and certainly will not have direct control over.
Similarly, financial services firms face reputational risk directly in their ongoing operations, but outsourcing arrangements introduce unique new concerns. For example, the transfer of customer financial information to a service provider introduces the risk of potential violations of confidentiality, either due to security issues during the transfer itself or due to a provider’s imperfect control environment. While the legal responsibility for such a violation may clearly reside with the service provider, the financial services firm would not easily be able to avoid damage to its reputation.
Legal risk can take several forms, since outsourcing arrangements are based on binding contractual relationships. Aside from the concerns summarized above, legal risk could arise from specific contractual details. For example, the outsourcing contract might have a long duration during which the firm’s business needs and environment could change in important, but unexpected, ways. Consequently, firms might get locked into agreements that reflect outdated business realities.
These three categories apply to any outsourcing arrangements. When outsourcing agreements are made with foreign firms—a practice commonly referred to as “offshoring”—concerns regarding country risk factors are introduced. Changes in foreign government policies as well as political, social, economic and legal conditions in the country where the service provider is based or where the contractual relationship has been established could materially affect the outsourcing agreement.
Government supervisors of financial services firms clearly must monitor and react to the risks posed by outsourcing core financial services activities. In recognition of these concerns, a consultative paper outlining nine high-level principles about outsourcing was issued by the Joint Forum, a financial services policy group established by the Basel Committee on Banking Supervision, the International Organization of Securities Commissions, and the International Association of Insurance Supervisors (Joint Forum 2004). The principles apply across the banking, securities, and insurance sectors of the financial services industry worldwide, and they can be grouped broadly into three categories.
The first category refers to the policies that regulated financial services firms should have in place even before entering an outsourcing agreement. For example, the firm should establish a comprehensive policy for assessing whether and how certain activities can be outsourced, and the firm’s board of directors should retain direct responsibility for that policy. In addition, firms should establish a comprehensive outsourcing risk-management program to monitor and address issues arising from the outsourced activities and relationships with service providers.
The second category addresses concerns surrounding specific outsourcing arrangements. Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities, and expectations of all parties. The firm should also maintain adequate contingency plans and take appropriate steps to require that service providers protect the confidential information of both itself and its clients from intentional or inadvertent disclosure.
The third category addresses concerns specific to supervisors. Supervisors should take into account outsourcing activities as an integral part of their monitoring responsibilities. Supervisors should assure themselves that outsourcing arrangements do not hamper the ability of the firm to meet its supervisory requirements; that is, supervisors should be able to obtain promptly any relevant materials regarding outsourced activities.
Government supervision of the financial services industry in the United States is spread across several government agencies and is divided functionally across the banking, securities, and insurance sectors, although important areas of overlap exist. For example, securities firms are primarily supervised by the Securities Exchange Commission, various exchanges where securities are traded, and by the rules of self-governing organizations, such as the National Association of Securities Dealers. Insurance firms are primarily supervised by state insurance agencies, whose activities are broadly assisted by national organizations, such as the National Association of Insurance Commissioners. Banks and other depository institutions are supervised by the Federal Reserve and four other supervisory agencies, and together they constitute the Federal Financial Institutions Examination Council (FFIEC).
The FFIEC has produced several publications to assist bankers and examiners in evaluating a financial institution’s risk-management processes for establishing, managing, and monitoring the outsourcing of IT projects (see FFIEC 2003 and 2004). These publications provide examiners with guidance on how to assess a variety of outsourcing issues, such as board and management responsibilities, service provider selection, and contract issues.
In addition, all FFIEC members, except the National Credit Union Association, have statutory authority to examine certain TSPs; that is, the supervisors have the authority to supervise all of the activities and records of a depository institution whether performed by the institution or by a third party on or off the premises. Accordingly, the examination and supervision of a depository institution is not hindered by a transfer of its records to another organization or by having another organization carry out all or part of the supervised institution’s functions. Within the TSP examination process, supervisors conduct a variety of tasks, such as identifying actual or potential risks associated with activities that could adversely affect serviced depository institutions, evaluating the overall integrity and effectiveness of TSP risk-management systems and controls, and determining their compliance with applicable laws and regulations that affect the services provided by financial institutions.
In fact, just as in the examination of depository institutions and their holding companies, the FFIEC agencies assign ratings to TSPs after the completion of these examinations. The primary purpose of the rating system is to identify those entities whose condition or performance of IT functions requires special supervisory attention. The rating system is known as the Uniform Rating System for Information Technology (URSIT). These ratings are based on a risk evaluation of the TSP’s audit practices, management practices, development and acquisition of appropriate IT solutions, and support and delivery of these services in a secure environment. Composite URSIT ratings are based on a scale from 1 through 5 in ascending order of supervisory concern. Since the main purpose of the ratings is to identify TSPs that might pose an inordinate amount of IT risk to depository institutions, the supervisory agency assigning the URSIT rating communicates it to all other FFIEC agencies.
Outsourcing by financial services firms raises important concerns for both the firms and their government supervisors. Specific supervisory efforts, such as the FFIEC’s procedures for supervising banks’ outsourcing of IT services, are currently in place and more are in development. However, such efforts will need to be flexible and will most probably be modified over time as the nature of these outsourcing arrangements evolves.
Jose A. Lopez
Federal Financial Institutions Examination Council. 2004. IT Examination Handbook: Outsourcing Technology Services.
Federal Financial Institutions Examination Council. 2003. IT Examination Handbook: Supervision of Technology Service Providers.
Federal Reserve Bank of New York. 1999. Outsourcing Financial Services Activities: Industry Practice to Mitigate Risks.
Joint Forum. 2004. “Outsourcing in Financial Services.” Consultative document, Basel Committee on Banking Supervision. Bank for International Settlements.
Lopez, J.A. 2002. “What Is Operational Risk?” FRBSF Economic Letter 2002-02 (January 25).
Please send editorial comments and requests for reprint permission to
Attn: Research publications, MS 1140
Federal Reserve Bank of San Francisco
P.O. Box 7702
San Francisco, CA 94120
Opinions expressed in FRBSF Economic Letter do not necessarily reflect the views of the management of the Federal Reserve Bank of San Francisco or of the Board of Governors of the Federal Reserve System. This publication is edited by Sam Zuckerman and Anita Todd. Permission to reprint must be obtained in writing.