FRBSF Economic Letter
2004-34; November 26, 2004
Outsourcing by Financial Services Firms: The Supervisory
Response
In
the financial services industry, outsourcing has been in use for
quite some time. For example, since the 1970s, financial institutions
have used outside firms for such clerical activities as printing
customer financial statements and storing records. As information
technologies (IT) evolved during the 1980s and 1990s, financial
services firms began to outsource a great variety of IT activities
as a means of lowering their costs and gaining faster access to
up-to-date technology. For example, purchasing software for producing
internal reports and customer statements from a specialized vendor
often provides significant cost savings and greater flexibility
over developing and maintaining that software in-house. Current
forecasts suggest that this trend toward outsourcing is likely
to continue into the near future.
Although outsourcing presents
all firms with important challenges,
financial services firms face two special issues. One issue involves
concerns about maintaining the privacy of customers' financial
information; the other involves concerns associated with the relatively
high degree of government regulation that these firms face. The
latter issue has led to important developments in the government
supervision of financial services firms, particularly depository
institutions (that is, banks, thrifts, and credit unions).
This
Economic Letter reviews both the supervisory concerns
and the practices that have arisen in response to the expansion
of
outsourcing by financial services firms. Government supervisors
have adopted general guidelines regarding how the inherent risks
should be identified and mitigated. For the U.S. banking industry
in particular, supervisors have established explicit procedures
for monitoring the outsourcing activities of depository institutions
to technology service providers.
Why outsourcing?
Firms may choose to outsource certain
activities for various reasons. For example, an outside vendor
might provide operational efficiencies
and associated cost savings that the firm could not achieve on
its own. The firm's management could also decide to concentrate
on core business functions and hence reallocate its limited internal
resources, both in terms of human and economic capital, away from
non-core activities. Outsourcing might also be used to develop
and provide new customer services more quickly and reliably than
is possible with just internal resources.
Financial services firms
provide a wide array of services to consumers and businesses, but
are generally characterized as securities firms,
insurance firms, and banking firms (or as depository institutions,
more narrowly). While quite distinct in actual practice, these
firms have several common features that might predispose them toward
using a reasonably large degree of outsourcing. Specifically, in
the course of their businesses, they handle large volumes of information,
in both paper and electronic form, and they typically provide customers
with a wide variety of related, yet distinct, services; for example,
banks provide checking accounts as well as other payments services
in conjunction with access to many alternative savings vehicles.
The sheer volume and breadth of these activities present compelling
reasons for outsourcing, particularly to technology service providers
(TSPs) that have developed expertise in specific business applications.
Risks
associated with outsourcing
While outsourcing can enhance the ability
of a financial services firm to offer its customers enhanced services
without the various
expenses involved with owning the required technology and human
capital to operate it, the fundamental business risks associated
with providing these services typically are not reduced. Indeed,
although outsourcing can reduce certain other risks, it also introduces
new challenges and risks. For example, failure to choose a qualified
and compatible service provider, and to structure an appropriate
outsourcing relationship, may lead to ongoing operational problems
or even a severe business disruption.
The risks that attend outsourcing
are too numerous to discuss individually, but in broad terms they
tend to fall into three general categories:
operational, reputational, and legal risks (see Federal Reserve
Bank of New York 1999). Operational risk has been defined as the
risk of monetary losses resulting from inadequate or failed internal
processes, people, and systems or from external events (see Lopez
2002 for further discussion). Note that operational risk is quite
broadly defined and could be seen as encompassing reputational
and legal risks as well. While operational risk exists whether
or not a firm outsources certain business activities, the transfer
of managerial responsibility, but not accountability, via an outsourcing
agreement to a third-party service provider introduces new concerns
that the firm might not be aware of and certainly will not have
direct control over.
Similarly, financial services firms face reputational
risk directly in their ongoing operations, but outsourcing arrangements
introduce
unique new concerns. For example, the transfer of customer financial
information to a service provider introduces the risk of potential
violations of confidentiality, either due to security issues during
the transfer itself or due to a provider's imperfect control environment.
While the legal responsibility for such a violation may clearly
reside with the service provider, the financial services firm would
not easily be able to avoid damage to its reputation.
Legal risk
can take several forms, since outsourcing arrangements are based
on binding contractual relationships. Aside from the
concerns summarized above, legal risk could arise from specific
contractual details. For example, the outsourcing contract might
have a long duration during which the firm's business needs and
environment could change in important, but unexpected, ways. Consequently,
firms might get locked into agreements that reflect outdated business
realities.
These three categories apply to any outsourcing
arrangements. When outsourcing agreements are made with foreign
firms—a practice
commonly referred to as "offshoring"—concerns regarding
country risk factors are introduced. Changes in foreign government
policies as well as political, social, economic and legal conditions
in the country where the service provider is based or where the
contractual relationship has been established could materially
affect the outsourcing agreement.
International supervisory principles
Government supervisors of
financial services firms clearly must monitor and react to the
risks posed by outsourcing core financial
services activities. In recognition of these concerns, a consultative
paper outlining nine high-level principles about outsourcing
was issued by the Joint Forum, a financial services policy
group established by the Basel Committee on Banking Supervision,
the
International Organization of Securities Commissions, and the
International Association of Insurance Supervisors (Joint Forum
2004). The principles apply across the banking, securities,
and insurance sectors of the financial services industry worldwide,
and they can be grouped broadly into three categories.
The first
category refers to the policies that regulated financial services
firms should have in place even before entering an outsourcing
agreement. For example, the firm should establish a comprehensive
policy for assessing whether and how certain activities can
be outsourced, and the firm's board of directors should retain
direct
responsibility for that policy. In addition, firms should establish
a comprehensive outsourcing risk-management program to monitor
and address issues arising from the outsourced activities and
relationships with service providers.
The second category
addresses concerns surrounding specific outsourcing arrangements.
Outsourcing relationships should
be governed by
written contracts that clearly describe all material aspects
of the outsourcing
arrangement, including the rights, responsibilities, and
expectations of all parties. The firm should also maintain adequate
contingency
plans and take appropriate steps to require that service
providers protect the confidential information of both itself and
its
clients from intentional or inadvertent disclosure.
The
third category addresses concerns specific to supervisors. Supervisors
should take into account outsourcing activities
as an integral part of their monitoring responsibilities.
Supervisors should assure themselves that outsourcing
arrangements do not
hamper the ability of the firm to meet its supervisory
requirements; that
is, supervisors should be able to obtain promptly any relevant
materials regarding outsourced activities.
Supervisory practices
in the U.S.
Government supervision of the financial services industry
in the United States is spread across several government
agencies
and
is divided functionally across the banking, securities,
and insurance sectors, although important areas of
overlap exist.
For example,
securities firms are primarily supervised by the Securities
Exchange Commission, various exchanges where securities
are traded, and
by the rules of self-governing organizations, such
as the National Association of Securities Dealers. Insurance firms
are primarily
supervised by state insurance agencies, whose activities
are broadly assisted by national organizations, such
as
the National
Association
of Insurance Commissioners. Banks and other depository
institutions are supervised by the Federal Reserve
and
four other supervisory
agencies, and together they constitute the Federal
Financial Institutions Examination Council (FFIEC).
The FFIEC has
produced several publications to assist bankers and examiners
in evaluating a financial institution's
risk-management
processes for establishing, managing, and monitoring
the outsourcing of IT projects (see FFIEC 2003 and
2004). These
publications
provide
examiners with guidance on how to assess a variety
of outsourcing issues, such as board and management
responsibilities,
service provider selection, and contract issues.
In
addition, all FFIEC members, except the National Credit Union
Association, have statutory authority
to examine
certain TSPs;
that is, the supervisors have the authority to
supervise all of the activities and records of a depository
institution whether
performed by the institution or by a third party
on or off the premises. Accordingly, the examination
and
supervision
of a depository
institution is not hindered by a transfer of its
records to another organization or by having another
organization
carry
out all
or
part of the supervised institution's functions.
Within the
TSP examination process, supervisors conduct a
variety of tasks, such as identifying actual or potential
risks associated
with
activities
that could adversely affect serviced depository
institutions, evaluating the overall integrity and effectiveness
of TSP risk-management systems and controls, and
determining their
compliance with
applicable
laws and regulations that affect the services provided
by financial institutions.
In fact, just as in the
examination of depository institutions and their holding companies,
the FFIEC
agencies assign
ratings to TSPs after the completion of these
examinations. The primary
purpose of the rating system is to identify those
entities whose condition or performance of IT
functions requires
special supervisory
attention. The rating system is known as the
Uniform Rating System for Information Technology (URSIT).
These ratings
are based on
a risk evaluation of the TSP's audit practices,
management practices, development and acquisition
of appropriate
IT solutions, and
support and delivery of these services in a secure
environment. Composite
URSIT ratings are based on a scale from 1 through
5 in ascending order of supervisory concern.
Since the
main
purpose of the
ratings is to identify TSPs that might pose an
inordinate amount of IT
risk to depository institutions, the supervisory
agency assigning the URSIT rating communicates
it to all other
FFIEC agencies.
Conclusion
Outsourcing by financial services firms raises
important concerns for both the firms and
their government
supervisors. Specific
supervisory efforts, such as the FFIEC's
procedures for supervising banks'
outsourcing of IT services, are currently
in place and more are in development. However,
such efforts
will need
to be
flexible and will most probably be modified
over time as the nature
of
these outsourcing arrangements evolves.
Jose
A. Lopez
Senior Economist
References
[URLs accessed November 2004.]
Federal Financial Institutions Examination Council. 2004. IT Examination
Handbook: Outsourcing Technology Services.
http://www.ffiec.gov/ffiecinfobase/booklets/outsourcing/Outsourcing_Booklet.pdf
Federal
Financial Institutions Examination Council. 2003. IT Examination
Handbook: Supervision of Technology Service Providers.
http://www.ffiec.gov/ffiecinfobase/booklets/tsp/tech_ser_provider.pdf
Federal
Reserve Bank of New York. 1999. Outsourcing Financial Services
Activities: Industry Practice to Mitigate Risks.
http://www.newyorkfed.org/banking/circulars/outsource.pdf
Joint
Forum. 2004. "Outsourcing in Financial Services." Consultative
document, Basel Committee on Banking Supervision. Bank for International
Settlements.
http://www.bis.org/publ/joint09.pdf
Lopez, J.A. 2002. "What
Is Operational Risk?" FRBSF Economic
Letter 2002-02 (January 25).
http://www.frbsf.org/publications/economics/letter/2002/el2002-02.pdf
|
