Home > News & Events > Financial Institution Letters
Financial Institution Letters
|Effective Practices for Selecting a Service Provider|
|This document is intended to serve as a resource for banks in addressing specific challenges relating to technology outsourcing. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.|
|As community banks become more involved in technology outsourcing,
they face significant challenges in managing the risks associated with reliance on third
party technology service providers1. Outsourcing
has become more complex with many banks using vendors for key business functions and
relying on multiple providers.
This brochure suggests techniques that can facilitate the process by which financial institutions conduct due diligence and select the best service provider.
|Objectives of the Selection Process|
|The objective of the selection process is simple: identify the best-qualified service provider and negotiate a contract that meets the needs of the financial institution. The selection process also should be cost effective, efficient, and appropriate for the nature of activities that the bank is seeking to outsource. Of course, the processes that the bank uses to select a provider or team of providers will depend on the criticality and complexity of the service to be outsourced. In addition, the degree of process formality may depend on the nature of the outsourced service and the banks familiarity with the prospective providers. Also, banks may wish to consider using consultants to provide expertise and assistance throughout the selection process.|
|Identification of Qualified Providers|
|Prior to identifying prospective service
providers, it is essential that bank management have a clear understanding of the
requirements and expectations that they are seeking to meet. As discussed in the FFIEC
Management of Outsourced Technology Services," a comprehensive risk assessment
should consider how the outsourcing arrangement will support the institution's objectives
and strategic plans and how the relationship with the service provider will be managed.
The next step in the process involves conducting due diligence to evaluate service
providers and determine their ability, both operationally and financially, to meet the
In some situations, the bank will either already know or quickly be able to determine a "short list" of provider candidates. This may occur when a specialized service is offered by a small number of providers, when size or geographic location is important, or when existing relationships with other providers (e.g., the banks core data processor) are critical factors. If the bank has already identified possible providers and does not seek to expand the pool of candidates, management can proceed to evaluation and contract negotiation.
However, when the bank seeks to create or expand a list of possible service providers, it may be helpful to use tools and techniques such as Requests for Proposal (RFP), Requests for Information (RFI), and Requests for Quote (RFQ). These are ways to obtain specific information about a service providers ability to meet the banks requirements and the fees that they charge for the service. In an RFP, the bank outlines its business objectives and technical requirements and solicits responses from service providers that describe their ability to meet these needs and related prices. A more detailed discussion of the RFP process is provided in the Appendix. The RFI and RFQ are respectively targeted at obtaining specific information about the technical solutions that are available and prices charged for a particular service.
In initial communications with service provider candidates, the bank should want to make clear that: (1) the service provider cannot disclose any information about the banks systems or its business plans to others outside the candidates team; (2) the service provider expects that commitments made during the selection process will be binding in any final agreement; and (3) the service provider identify all subcontractors, consultants, or third parties on which it is relying to provide services to the bank.
|Evaluation and Selection|
|Once the bank has identified a prospective
provider or list of candidates, the evaluation and selection process can commence. Even in
situations where only one provider is identified, it is important that the institution
still evaluate their technical expertise, operating controls, financial condition, and
management. When a larger group of candidates is being considered, the evaluations can be
quantified and ranked to facilitate selection of a small number of the best-qualified
The evaluation criteria are essential to the selection process and allow the financial institution to methodically review the candidates proposals. The overriding objective is to select the most qualified provider. Utilizing standard evaluation criteria assists in this selection effort. Some suggested evaluation criteria are:
|Depending on the situation and the outsourced activity, each of the above criteria may be given greater or less weight in the overall evaluation. Other criteria may be considered, as appropriate. In addition, bank management may consider on-site visits, reference checks, and inquiries with industry groups and peer institutions.|
|The following represent suggested practices that
can facilitate the evaluation process:
|Negotiating the Contract|
|Communication with prospective providers can
commence at various points in the evaluation and selection processes. For example,
clarifications or requests for additional information may be needed to fully evaluate a
proposal. Meetings and oral presentations may be useful to engage the provider in more
detailed discussions. Informational meetings may also be useful to determine a
providers willingness to depart from their original proposal in terms of price or
services offered. Banks may also choose to engage multiple candidates in discussions
concurrently to compare their responses.
After the selection process has narrowed the choice to one or a small number of strong candidates, negotiations with the provider(s) can help the bank finalize the terms of the contract. The negotiation process can help the bank establish terms that are agreeable to all parties and confirm that there is common understanding of the roles and responsibilities. Direct communication with the provider may help to determine whether organizational cultures are compatible and may provide an opportunity to interact with personnel who will play a key role in the future relationship.
Negotiating a contract is the final step in the procurement process. If a Request for Proposal was used or a Statement of Work was provided to the candidates to solicit their proposals, these documents can be directly incorporated into the contract. Key terms and conditions, as well as technical solutions and pricing, are generally established based on the proposal responses and final offers. A few points that might be useful in the contract negotiation and approval phases follow:
|Selection of a competent and qualified service
provider is perhaps the most critical part of the outsourcing process. The process of
selecting a vendor and determining their qualifications may vary in its formality and
requirements for time and resources. Key determinants of the process will be the
banks foreknowledge of qualified providers and the number of candidates under
consideration. Criteria for selection should be determined in advance to facilitate the
evaluation process. Once a single or handful of qualified providers has been identified,
further negotiations can help to finalize an agreement that is mutually beneficial.
The final outcome of the process should be the selection of a viable service provider that meets the procurement needs and objectives of the bank. Undertaking this commitment can provide significant benefits for complex information technology services or projects. Benefits include, but are not limited to, focusing the bank on the objective and strategic fit of the procurement, as well as facilitating due diligence in the selection of a service provider.
|Requests for Proposal (RFP) - Definition and Overview|
|A Request for Proposal is a tool that can be used to facilitate the selection of a qualified service provider and assist with the contracting process. The RFP can help a financial institution identify the best service provider(s) for their specific requirements by inviting competition, as service providers respond with a solution or combination of solutions, and the institution selects the most viable provider. The RFP can be particularly useful when bank management is seeking to create or expand a list of potential service providers or when projects are complex and represent a strategic or long-term enterprise investment.|
|The RFP process consists of a set of tasks that can be grouped into three major categories: development of a baseline, proposal preparation, and selection activities. The following are some of the many tasks that are generally part of the RFP and vendor selection process. The list is not intended to be all-inclusive, and the steps may either be expanded or contracted to meet the needs of any particular situation.|
|Development of a Baseline:
|The various tasks that comprise the baseline activity are designed to establish a clear picture of the goal and objective of the procurement. In addition, a detailed understanding of the current environment is typically established in order to determine if there is a gap between the current environment and future needs. Finally, this baseline understanding of cost and service levels is useful in conducting a cost/benefit or return on investment analysis.|
|Proposal preparation tasks are focused on defining the requirements, which are then presented in the form of a Statement of Work or similar document. The Statement of Work indicates desired services, the roles and responsibilities of each party, and the required service levels or performance standards.|
|A Typical RFP Format Includes the Following:|
|1Technology service providers encompass a broad range of entities including but not limited to affiliated entities, nonaffiliated entities, and alliances of companies providing products and services. This may include but is not limited to: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. Other terms used to describe Service Providers include vendors, subcontractors, external service provider (ESPs) and outsourcers.|
|Last Updated firstname.lastname@example.org|