We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
07 February 2014
Scope of guidance
Overview of board outsourcing risk management expectations
Due diligence and selection of service providers
Contract provisions and considerations
Incentive compensation review
Oversight and monitoring of service providers
Business continuity and contingency considerations
Additional risk considerations
Responsibilities of financial institution boards and senior management
On December 5 2013 the board of governors of the Federal Reserve System released Supervisory Letter SR 13-19, "Guidance on Managing Outsourcing Risk". The guidance is the most recent publication in a series of supervisory and enforcement actions by federal regulators of financial institutions clarifying regulatory expectations with respect to outsourcing and selection and management of third party service providers. The guidance describes the heightened regulatory scrutiny that now applies to the outsourcing activities of covered financial institutions. Accordingly, financial institutions subject to the guidance should review and update as appropriate their policies and procedures for evaluating, engaging and monitoring outsourced activities and third-party service provider relationships, taking into account the expectations expressed in the guidance.
The guidance applies to all financial institutions (state member banks, bank and savings and loan holding companies - including their non-bank subsidiaries - and US operations of foreign banking organisations) supervised by the board, regardless of size. For purposes of the guidance, the board broadly defines 'service providers' to include all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities. The guidance does not replace, but is supplemental to, other regulatory guidance on third-party risk applicable to the covered financial institutions. In fact, the guidance refers financial institutions to other regulatory guidance with respect to specific topics.
The guidance states that financial institutions are responsible for ensuring that services provided by service providers:
The guidance also sets forth the board's expectations on how financial institutions should manage outsourcing decisions and relationships.
The board expects each financial institution to develop and implement a risk-based service provider risk management programme that is "commensurate with the level of risk" raised by the financial institution's outsourcing activities. Accordingly, each financial institution should consider and identify the applicable risks that may arise in connection with outsourcing financial institution functions and monitor those risks during the course of an outsourcing relationship. Such risks include:
Although this risk-based approach recognises that the depth and formality of a financial institution's service provider risk management programme may depend on the nature and complexity of the outsourced activities, the guidance articulates certain elements that are usually present in effective programmes. These elements include the following:
Accordingly, a financial institution should evaluate carefully any proposal that deviates from any of the elements highlighted by the guidance.
Before outsourcing an activity, a financial institution should determine whether outsourcing is consistent with the financial institution's overall strategy. Following such a determination, a financial institution should assess the benefits and risks of outsourcing the particular activity, including the associated service provider risk and cost. A financial institution should also consider the availability of qualified, experienced service providers, and the financial institution's ability to adequately manage and oversee the outsourcing. A financial institution should review and update, as appropriate, its risk assessments at intervals consistent with the financial institution's service provider risk management plan.
A financial institution should conduct due diligence before engaging a prospective service provider. The guidance acknowledges that the level and depth of due diligence may depend on certain variables, including the scope, complexity and importance of the outsourcing arrangement. However, in general, due diligence should include a review of the prospective service provider's:
The guidance states that the terms of service agreements should be defined in written contracts that have been reviewed by the financial institution's legal counsel before execution. Although the guidance provides that the nature of outsourced activity and the service provider's strategy will determine the contract terms, the guidance specifically identifies several elements that are included in well-defined contracts and service agreements, including:
Although many of the contractual elements identified in the guidance are currently commonplace in service provider contracts, the guidance also articulates certain contractual expectations that are often subject to contentious negotiations in the marketplace. For example, the guidance provides that service contracts should require service providers to indemnify financial institutions against simple negligence on the service provider's part. Interestingly, in this regard, the guidance provided by the Office of the Comptroller of the Currency refers to indemnity against claims arising out of the provider's failure to perform (ie, a contractual breach standard). Such a provision is likely to yield difficult discussions with service providers that attempt to limit indemnity obligations to a higher standard.
The guidance emphasises the importance of contractual provisions related to the protection of consumer information and the financial institution's confidential information. A service provider should provide the same customer information protections that the financial institution does, and a service provider's security processes should map directly to the financial institution's process. A service provider's use of financial institution information and customer information should be limited to what is needed to provide the service. Contracts should also include provisions related to the security, retention of and access to non-public personal information, if applicable, including the provision of data breach notices and obligations with respect to applicable laws in the event of a data breach.
Financial institutions should have a process to review and approve incentive compensation arrangements in outsourcing contracts to ensure that the service provider is not encouraged to take imprudent risks that could result in reputational damage and other risks, such as litigation.
Financial institutions should have procedures to oversee and monitor their service providers on an ongoing basis. These procedures should include performance metrics to evaluate whether a service provider is performing at an acceptable level and designate personnel with sufficient expertise and stature to manage and oversee the outsourced arrangement. These procedures should also include risk-based reporting and monitoring at a frequency and level appropriate to the level of risk. Monitoring procedures should include on-going monitoring of the financial condition of the service provider and its significant subcontractors, assessment of the service provider's internal controls and identification of circumstances where escalated oversight and monitoring of a service provider are triggered.
Financial institutions should have contingency plans for outsourced activities. Such plans should focus on critical services and consider alternatives if a service provider cannot perform. Financial institutions should also:
The guidance notes some additional areas of specific focus that financial institutions should consider where applicable, such as:
The guidance clearly states that a financial institution's use of service providers:
"Does not relieve a financial institution's board of directors and senior management of their responsibility to ensure that outsourced activities are conducted in a safe-and-sound manner and in compliance with applicable laws and regulations."
Specifically, the guidance charges the board of directors or an executive committee of the board with establishing and approving the financial institution's policy governing the use of service providers, including a service provider risk management policy addressing risk assessments, due diligence, contract standards and considerations, service provider monitoring and business continuity and contingency planning. The guidance also requires that a financial institution's board of directors and senior management determine whether any limits on service provider liability are reasonable relative to the risks to the financial institution if the service provider fails to perform. Senior management is also responsible for ensuring that the board-adopted policies are appropriately executed, including regular reporting to the board on adherence to the policies. Such provisions may require financial institutions to modify their service provider contract approval processes to include board or senior management review in more circumstances than may historically have been the case.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.