This document is intended to
serve as a resource for banks in addressing specific challenges relating to technology
outsourcing. The content was prepared not as examination procedures or official guidance
but as an informational tool for community bankers.
As community banks become more involved in technology outsourcing,
they face significant challenges in managing the risks associated with reliance on third
party technology service providers1. Outsourcing
has become more complex with many banks using vendors for key business functions and
relying on multiple providers.
brochure suggests techniques that can facilitate the process by which financial
institutions conduct due diligence and select the best service provider.
The objective of the selection process is simple:
identify the best-qualified service provider and negotiate a contract that meets the needs
of the financial institution. The selection process also should be cost effective,
efficient, and appropriate for the nature of activities that the bank is seeking to
outsource. Of course, the processes that the bank uses to select a provider or team of
providers will depend on the criticality and complexity of the service to be outsourced.
In addition, the degree of process formality may depend on the nature of the outsourced
service and the banks familiarity with the prospective providers. Also, banks may
wish to consider using consultants to provide expertise and assistance throughout the
Prior to identifying prospective service
providers, it is essential that bank management have a clear understanding of the
requirements and expectations that they are seeking to meet. As discussed in the FFIEC
Management of Outsourced Technology Services," a comprehensive risk assessment
should consider how the outsourcing arrangement will support the institution's objectives
and strategic plans and how the relationship with the service provider will be managed.
The next step in the process involves conducting due diligence to evaluate service
providers and determine their ability, both operationally and financially, to meet the
situations, the bank will either already know or quickly be able to determine a
"short list" of provider candidates. This may occur when a specialized service
is offered by a small number of providers, when size or geographic location is important,
or when existing relationships with other providers (e.g., the banks core data
processor) are critical factors. If the bank has already identified possible providers and
does not seek to expand the pool of candidates, management can proceed to evaluation and
However, when the bank seeks to create or expand a
list of possible service providers, it may be helpful to use tools and techniques such as
Requests for Proposal (RFP), Requests for Information (RFI), and Requests for Quote (RFQ).
These are ways to obtain specific information about a service providers ability to
meet the banks requirements and the fees that they charge for the service. In an
RFP, the bank outlines its business objectives and technical requirements and solicits
responses from service providers that describe their ability to meet these needs and
related prices. A more detailed discussion of the RFP process is provided in the Appendix. The RFI and RFQ are respectively targeted at obtaining
specific information about the technical solutions that are available and prices charged
for a particular service.
In initial communications with service provider
candidates, the bank should want to make clear that: (1) the service provider cannot
disclose any information about the banks systems or its business plans to others
outside the candidates team; (2) the service provider expects that commitments made
during the selection process will be binding in any final agreement; and (3) the service
provider identify all subcontractors, consultants, or third parties on which it is relying
to provide services to the bank.
Once the bank has identified a prospective
provider or list of candidates, the evaluation and selection process can commence. Even in
situations where only one provider is identified, it is important that the institution
still evaluate their technical expertise, operating controls, financial condition, and
management. When a larger group of candidates is being considered, the evaluations can be
quantified and ranked to facilitate selection of a small number of the best-qualified
The evaluation criteria
are essential to the selection process and allow the financial institution to methodically
review the candidates proposals. The overriding objective is to select the most
qualified provider. Utilizing standard evaluation criteria assists in this selection
effort. Some suggested evaluation criteria are:
Compatibility of the service providers
vision/value proposition with that of the bank.
Ability to execute the vision/value proposition.
Functionality of the service or system proposed. (Do
the functional features meet the stated requirements?)
Technology in terms of type, power, modularity, and
ability to upgrade/refresh or scale.
Service and support in terms of maintenance hours,
response time, resolution time, security, disaster planning, and other service levels.
Financial stability of the vendor.
Depending on the situation and the outsourced
activity, each of the above criteria may be given greater or less weight in the overall
evaluation. Other criteria may be considered, as appropriate. In addition, bank management
may consider on-site visits, reference checks, and inquiries with industry groups and peer
The following represent suggested practices that
can facilitate the evaluation process:
Be specific in all requests for information from
candidates. Prioritize the requested information and indicate minimums and maximums for
the length of response. A useful rule of thumb is that "You get what you ask
Consider using numerical scores based on quality
ranking factors. By using consistent scoring systems or metrics, objective evaluation
standards can be applied. Make sure the quality ranking factors are aimed at achieving the
Determine minimum acceptable scores for the criteria
used before rating the bids. Narrow the list of proposals by eliminating bids that do not
meet the required minimums.
Document the evaluation process and methodology used
to score the respective proposals. It is generally a good practice to document
requirements and priorities before starting the evaluation stage of a project.
Consider conducting meetings and/or oral
presentations where service providers can respond to questions and provide additional
Consider ways to keep the process manageable.
Depending on the complexity of the outsourced activity, the evaluation process can be time
consuming and resource intensive.
When working with a larger list of prospective
candidates, narrow the group to a small number (e.g., two or three) to solicit "best
and final" offers.
Communication with prospective providers can
commence at various points in the evaluation and selection processes. For example,
clarifications or requests for additional information may be needed to fully evaluate a
proposal. Meetings and oral presentations may be useful to engage the provider in more
detailed discussions. Informational meetings may also be useful to determine a
providers willingness to depart from their original proposal in terms of price or
services offered. Banks may also choose to engage multiple candidates in discussions
concurrently to compare their responses.
After the selection process has narrowed the choice to one or a
small number of strong candidates, negotiations with the provider(s) can help the bank
finalize the terms of the contract. The negotiation process can help the bank establish
terms that are agreeable to all parties and confirm that there is common understanding of
the roles and responsibilities. Direct communication with the provider may help to
determine whether organizational cultures are compatible and may provide an opportunity to
interact with personnel who will play a key role in the future relationship.
Negotiating a contract is the final step in the
procurement process. If a Request for Proposal was used or a Statement of Work was
provided to the candidates to solicit their proposals, these documents can be directly
incorporated into the contract. Key terms and conditions, as well as technical solutions
and pricing, are generally established based on the proposal responses and final offers. A
few points that might be useful in the contract negotiation and approval phases follow:
As a general industry practice, information
technology contracts are commonly set for a three- to five-year term. The shorter term
enables the institution to reflect the pace of change in the technology industry.
Prices indicated in the contract and service
providers proposal can be more effectively considered when they are broken down by
each category of service (workspace, network services, etc.) and for the technology
services by platform group.
It is useful to explicitly state all charges as part
of the invoicing procedures, occupancy policy, communication protocols, additional test
time, and annual increases. Specifying each additional increment of cost is important in
order to minimize the financial risk of increased prices for additional or reduced
Many contracts contain exit clauses that allow the
institution to cancel the contract for reasons such as a failure to perform.
Service level agreements should be stated in the
contract. (Further information on service level agreements is provided in a separate FDIC
document on technology outsourcing.)
Having a clear understanding of the current and
anticipated future requirements of the outsourced service can allow the bank to obtain a
long-term solution rather than a quick fix.
Set a realistic time line for completing the
contract negotiation process.
Obtain a list of all key personnel and a list of any
subcontractors, consultants, or third parties on which service delivery depends.
Selection of a competent and qualified service
provider is perhaps the most critical part of the outsourcing process. The process of
selecting a vendor and determining their qualifications may vary in its formality and
requirements for time and resources. Key determinants of the process will be the
banks foreknowledge of qualified providers and the number of candidates under
consideration. Criteria for selection should be determined in advance to facilitate the
evaluation process. Once a single or handful of qualified providers has been identified,
further negotiations can help to finalize an agreement that is mutually beneficial.
The final outcome of the process should
be the selection of a viable service provider that meets the procurement needs and
objectives of the bank. Undertaking this commitment can provide significant benefits for
complex information technology services or projects. Benefits include, but are not limited
to, focusing the bank on the objective and strategic fit of the procurement, as well as
facilitating due diligence in the selection of a service provider.
A Request for Proposal is a tool that can be used
to facilitate the selection of a qualified service provider and assist with the
contracting process. The RFP can help a financial institution identify the best service
provider(s) for their specific requirements by inviting competition, as service providers
respond with a solution or combination of solutions, and the institution selects the most
viable provider. The RFP can be particularly useful when bank management is seeking to
create or expand a list of potential service providers or when projects are complex and
represent a strategic or long-term enterprise investment.
The RFP process consists of a set of tasks that
can be grouped into three major categories: development of a baseline, proposal
preparation, and selection activities. The following are some of the many tasks that are
generally part of the RFP and vendor selection process. The list is not intended to be
all-inclusive, and the steps may either be expanded or contracted to meet the needs of any
Development of a Baseline:
Determine the purpose and goal of the procurement.
Assign a proposal project team and an evaluation
Plan the outsourcing project in terms of cost
schedule, functional requirements, and resource requirements.
Develop a "baseline" that represents a
current "as is" description of the affected environment in terms of current
cost, inventory of systems, and services.
Develop a "needs assessment" which
describes managements assumptions on how to more effectively serve its customers.
Determine the future requirements by analyzing
anticipated needs and project objectives.
Determine the disparity between the current
environment and the future requirements in order to identify the gaps that need to be
filled to get from the current environment to the desired environment.
The various tasks that comprise the baseline
activity are designed to establish a clear picture of the goal and objective of the
procurement. In addition, a detailed understanding of the current environment is typically
established in order to determine if there is a gap between the current environment and
future needs. Finally, this baseline understanding of cost and service levels is useful in
conducting a cost/benefit or return on investment analysis.
Develop the Statement of Work, a technical document
that outlines basic requirements.
Draft the RFP based on the contents of the Statement
Proposal preparation tasks are focused on defining
the requirements, which are then presented in the form of a Statement of Work or similar
document. The Statement of Work indicates desired services, the roles and responsibilities
of each party, and the required service levels or performance standards.
Background on the financial institution and/or
Scope of services being requested, (e.g., web
hosting, infrastructure outsourcing, disaster recovery, etc.).
Background on the business process, including
current status, existing roles, and responsibilities of the people who will be working
with the vendor.
Statement on the confidentiality of information.
Statement of mission/vision of the financial
Statement of business objectives the institution
wants to achieve.
Statement of scope in terms of which business
functions, business units, applications, packages, geographies, and technology platforms
are being covered by the RFP.
Role of the service provider.
Service provider RFP question deadline.
Service provider analysis meeting (optional).
Proposal due date. (Generally, according to industry
practices, service providers need four weeks to respond comprehensively to anything other
than simple configurations. Less time may result in poorer, less innovative and probably
Service provider demonstration day.
Proposed implementation start date.
Statement of Work:
Detailed technical requirements, describing the
required business applications and their functionality, as well as the hardware and
infrastructure platform and communications requirements for each outsourced area and
Transition, implementation, training, start-up,
maintenance, and security requirements.
Performance criteria for success of solution.
Project management and service level reporting
Indication of performance/service level incentives
service providers encompass a broad range of entities including but not limited to
affiliated entities, nonaffiliated entities, and alliances of companies providing products
and services. This may include but is not limited to: core processing; information and
transaction processing and settlement activities that support banking functions such as
lending, deposit-taking, funds transfer, fiduciary, or trading activities;
Internet-related services; security monitoring; systems development and maintenance;
aggregation services; digital certification services, and call centers. Other terms used
to describe Service Providers include vendors, subcontractors, external service provider
(ESPs) and outsourcers.