Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks
Appendix D—Outsourcing-Related Guidance
Despite their relative newness, offshoring issues from a regulatory perspective are covered by previously released regulatory guidance regarding outsourcing. Relevant regulatory guidance comes in the form of guidelines from the Federal Financial Institutions Examination Council, the FDIC, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the National Credit Union Administration, and include the following:
Federal Financial Institutions Examination Council
Risk Management of Outsourced Technology Services (November 28, 2000). This guidance outlines the processes banks should use to manage the risks associated with outsourcing technology services.
Guidance in Draft Form
FFIEC Update of "Information Technology Outsourcing Booklet." This will discuss how institutions should manage outsourced information technology relationships, from an initial risk assessment through on-going monitoring.
Federal Deposit Insurance Corporation
FIL-49-99: Bank Service Company Act (June 3, 1999). This FIL reminds FDIC-supervised institutions of the reporting requirements contained in Section 7 of the Bank Service Company Act, and provides a standard form to facilitate compliance.
FIL-81-2000: Risk Management of Technology Outsourcing (November 29, 2000). This FIL provides interagency guidance on managing the risk exposure an institution faces when it contracts with an information technology service provider.
FIL-50-2001: Bank Technology Bulletin: Technology Outsourcing Information Documents (June 4, 2001).
"Effective Practices for Selecting a Service Provider"
Provides banks with information and suggestions regarding Selection of a competent and qualified service provider.
"Tools to Manage Technology Providers' Performance Risk: Service Level Agreements."
This brochure discusses the Service Level Agreement as an effective tool for managing the risks associated with technology outsourcing and describes practices for measuring and monitoring service providers' performance.
"Techniques for Managing Multiple Service Providers."
This document serves as a resource for banks in addressing specific challenges relating to selecting an information technology service provider. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.
FDIC FIL-23-2002: Country Risk (March 11, 2002). This FIL describes the elements of an effective country risk management process and is intended to guide examiners when they evaluate the management of country risk in internationally active banks.
Guidance in Draft Form
FDIC FIL: "Guidance Concerning Bank Use of Foreign-Based Third-Party Service Providers." This FIL provides guidance on specifically managing the risk exposure an institution faces when it contracts with a foreign information technology service provider.
Federal Reserve Board
SR 00-4 (SUP), Outsourcing of Information and Transaction Processing (February 29, 2000). This letter reiterates and clarifies the Federal Reserve's expectations regarding the management of outsourced information and transaction processing activities by banks, either to affiliated institutions or third-party service providers.
SR 00-17 (SPE) Guidance on the Risk Management of Outsourced Technology Services (November 30, 2000). This letter informs institutions of the guidance issued by the FFIEC to financial institutions regarding risk management of outsourced technology services.
FRBNY White Paper: "Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks" (August 29, 1999). This paper summarizes industry practices to identify, measure, monitor, and control applicable risks. It reviews outsourcing as a business strategy.
Office Of The Comptroller Of The Currency
OCC Bulletin 2002-16: Bank Use of Foreign-Based Third-Party Service Providers (May 15, 2002). This bulletin provides guidance to national banks on managing risks that may arise from their outsourcing relationships with foreign-based third-party service providers.
OCC Bulletin 2002-10: Country Risk (March 11, 2002). This statement describes the elements of an effective country risk management process and is intended to guide examiners when they evaluate the management of country risk in internationally active banks.
OCC Bulletin 2001-8: Guidelines Establishing Standards for Safeguarding Customer Information (February 15, 2001). The purpose of this bulletin is to alert National Banks, Service Providers and Software Vendors of the joint-agency issuance of the guidelines establishing standards for safeguarding customer information and to highlight provisions of the guidelines. The guidelines describe the OCC's expectations for the creation, implementation, and maintenance of a comprehensive information security program.
OCC Bulletin 2001-47: Third-Party Relationships (November 1, 2001). This bulletin provides guidance to national banks on managing the risks that may arise from their business relationships with third parties. A bank's use of third parties to achieve its strategic goals does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws.
OCC Bulletin 2000-21: Privacy of Consumer Financial Information (June 20, 2000). In June 2000, the OCC published jointly with the FRB, the FDIC and the OTS a new regulation, 12 CFR Part 40 to implement privacy provisions of the Gramm-Leach-Bliley Act (GLBA). This bulletin contains a copy of the final rule as it appeared in the Federal Register and contains a summary of the final rule that the OCC prepared to assist national banks in their compliance efforts.
OCC White Paper: "Cross-Border Outsourcing and Risk Management for Banks" (August 13, 2003). This article outlines the risk management challenges banks face when information technology and business processes are outsourced to offshore locations.
Office Of Thrift Supervision
Thrift Bulletin 82: Third-Party Arrangements (March 18, 2003). This document provides guidance on third-party arrangements, whether they occur between affiliated or unaffiliated entities. The bulletin informs institutions that the OTS expects directors and management to effectively manage risks that arise from all types of third-party arrangements. It also notifies thrifts that OTS examiners will review internal controls and management of third-party arrangements during the course of regularly recurring safety and soundness examinations, and will request appropriate corrective action, when needed, to ensure that the arrangements satisfy safety and soundness standards.
CEO Letter 113: Internal Controls (July 14, 1999). This memorandum issued for CEO of thrifts reminds management of the importance of maintaining strong internal controls and that each savings association must have internal controls and an internal audit appropriate to the size of the association and the nature and scope of its activities.
CEO Letter 133: Risk Management of Technology Outsourcing (November 29, 2000). This letter informs thrift CEO of the guidance issued by the FFIEC to financial institutions regarding risk management of outsourced technology services.
Thrift Activities Handbook: Section 340, Internal Control Program. Examination guidelines were issued in February 2002 as part of the OTS Regulatory Handbook establishing the objectives and procedures for assessing institutions' internal control systems.
Thrift Activities Handbook: Section 341, Technology Risk Controls. Examination guidelines were issued in January 2002 as part of the OTS Regulatory Handbook establishing the objectives and procedures for assessing institutions' technology risk controls.
National Credit Union Administration
NCUA Letter to Credit Unions No. 02-CU-17: E-Commerce Guide for Credit Unions. This letter provides NCUA's e-Commerce Guide for credit unions. It offers information to assist credit unions engaging in, or considering, e-Commerce activities in the form of electronic delivery of financial services via the Internet.
NCUA Letter to Credit Unions No. 01-CU-20: Due Diligence over Third-Party Service Providers. This letter reminds credit union officials that they are responsible for planning, directing, and controlling the credit union's affairs. It establishes the requirement of due diligence review prior to entering into any arrangements with a third party.
NCUA Letter to Credit Unions No. 00-CU-11: Risk Management of Outsourced Technology Services. This letter informs credit unions of the guidance issued by the FFIEC to financial institutions regarding risk management of outsourced technology services.