To the Chief Executive Officers of all Bank Holding Companies, State Member Banks, U.S. Branches and Agencies of Foreign Banks, and Edge Corporations in the Second Federal Reserve District:
The Federal Financial Institutions Examination Council recently issued the attached supplemental guidance (pdf) on the risk management of outsourced technology services. Banking organizations should consider this guidance within the context of their assessment of the scope and importance of the outsourced services to their enterprise, as well as the risks resulting from those services. This new guidance contains many of the same sound practices and recommendations set forth in the Federal Reserve Board's supervisory letter sent to you with our Circular No. 11242, dated April 13, 2000. The interagency guidance provides banking organizations with additional specific information that may be useful to consider on topics relevant to their outsourcing risk management practices.
The interagency guidance focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services. While outsourcing can improve banking services, help control costs, and provide the technical assistance needed to maintain and expand product offerings, it also introduces additional risks that need to be addressed. The guidance includes four key elements to address those risks: risk assessment, service provider selection, contract provisions and review, and ongoing service provider monitoring. The guidance also includes an appendix that provides examples of considerations that may be relevant in the areas of due diligence in selecting a service provider, contracting issues, and ongoing service provider monitoring.
Questions on this matter should be directed, at this Bank, to Janet K. Rogers, Senior Vice President or Ira Adler, Bank Supervision Officer.