Introduction

• In addition to traditional core bank processing and information technology services, financial institutions outsource operational activities such as
  • accounting,
  • appraisal management,
  • internal audit,
  • human resources,
  • sales and marketing,
  • loan review,
  • asset and wealth management,
  • procurement, and
  • loan servicing.
• The Federal Reserve issues this guidance to financial institutions to highlight the potential risks arising from the use of service providers and to describe the elements of an appropriate service provider risk management program. For purposes of this guidance, “service providers” is broadly defined to include all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.

Risks From The Use Of Service Providers

• Financial institutions should consider the following risks before entering into and while managing outsourcing arrangements –
  • Compliance risks arise when the services, products, or activities of a service provider fail to comply with applicable U.S. laws and regulations.
  • Concentration risks arise when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations.
  • Reputational risks arise when actions or poor performance of a service provider causes the public to form a negative opinion about a financial institution.
  • Country risks arise when a financial institution engages a foreign-based service provider, exposing the institution to possible economic, social, and political conditions and events from the country where the provider is located.
  • Operational risks arise when a service provider exposes a financial institution to losses due to inadequate or failed internal processes or systems or from external events and human error.
  • Legal risks arise when a service provider exposes a financial institution to legal expenses and possible lawsuits.

Effective Program To Manage Outsourcing Risk

• A financial institution’s service provider risk management program should be risk-focused and provide oversight and controls corresponding to the level of risk presented by the outsourcing arrangements. It should focus on outsourced activities that have a substantial impact on a financial institution’s financial condition; are critical to the institution’s ongoing operations; involve sensitive customer information or new bank products or services; or pose material compliance risk. The depth and formality of the service provider risk management program will depend on the criticality, complexity, and number of material business activities being outsourced.
• Effective service provider risk management programs usually include the following core elements –
  • Risk assessments,
  • Due diligence and selection of service providers,
  • Contract provisions and considerations,
  • Incentive compensation review,
  • Oversight and monitoring of service providers, and
  • Business continuity and contingency plans.

A. Risk Assessments

• Risk assessment of a business activity and the implications of performing the activity in-house or having the activity performed by a service provider are fundamental to the decision of whether or not to outsource.
  • A financial institution should determine whether outsourcing an activity is consistent with overall business strategy of the organization.
  • After that determination is made, a financial institution should analyze the benefits and risks of outsourcing the proposed activity as well as the service provider risk, and determine cost implications for establishing the outsourcing arrangement.
  • Consideration should also be given to the availability of qualified and experienced service providers to perform the service on an ongoing basis.
  • Additionally, management should consider the financial institution’s ability to provide appropriate oversight and management of the relationship with the service provider.
• This risk assessment should be updated at appropriate intervals consistent with the financial institution’s service provider risk management program. A financial institution should revise its risk mitigation plans, if appropriate, based on the results of the updated risk assessment.

B. Due Diligence And Selection Of Service Providers

• Before engaging the service provider, a financial institution should conduct an evaluation of and perform the necessary due diligence for that provider. The degree of the due diligence performed will vary depending on the
  • scope, complexity, and importance of the planned outsourcing arrangement,
  • the financial institution’s familiarity with prospective service providers, and
  • the reputation and industry standing of the service provider.
• Throughout the due diligence process, financial institution technical experts and key stakeholders should be engaged in the review and approval process as needed.
• The overall due diligence process includes a review of the service provider with respect to the following –
  1. Business background, reputation, and strategy,Financial performance and condition, andOperations and internal controls.
  These 3 points will be discussed as part of the second learning objective later.

C. Contract Provisions And Considerations

• Financial institutions should understand the service contract and legal issues associated with proposed outsourcing arrangements.
• The terms of service agreements should be defined in written contracts that have been reviewed by the financial institution’s legal counsel prior to execution.
• The characteristics of the business activity being outsourced and the service provider’s strategy for providing those services will determine the terms of the contract.
• The elements of well-defined contracts and service agreements will be discussed as part of the third learning objective later.

D. Incentive Compensation Review

• Financial institutions should also ensure that an effective process is in place to review and approve any incentive compensation that may be embedded in service provider contracts, including a review of whether existing governance and controls are adequate in light of risks arising from incentive compensation arrangements.
• The institution should consider whether the incentives provided might encourage the service provider to take imprudent risks. Inappropriately structured incentives may result in reputational damage, increased litigation, or other risks to the financial institution. An example of an inappropriate incentive would be one where variable fees or commissions encourage the service provider to direct customers to products with higher profit margins without due consideration of whether such products are suitable for the customer.

E. Oversight And Monitoring Of Service Providers

• To effectively monitor contractual requirements, financial institutions should establish acceptable performance metrics that the business line or relationship management determines to be indicative of acceptable performance levels.
• Financial institutions should ensure that personnel with oversight and management responsibilities for service providers have the appropriate level of expertise and stature to manage the outsourcing arrangement.
• The oversight process should be risk-focused. Higher risk service providers may require more frequent assessment and monitoring and may require financial institutions to designate individuals or a group as a point of contact for those service providers. For lower risk service providers, the level of monitoring can be lessened.

F. Business Continuity And Contingency

• Various events may affect a service provider’s ability to provide contracted services. For example, services could be disrupted by a provider’s performance failure, operational disruption, financial difficulty, or failure of business continuity and contingency plans during operational disruptions or natural disasters.
• Financial institution contingency plans should focus on critical services provided by service providers and consider alternative arrangements in the event that a service provider is unable to perform.
• When preparing contingency plans, financial institutions should –
  • Ensure that a disaster recovery and business continuity plan exists
  • Assess the adequacy and effectiveness of the plan and its alignment to their own plan,
  • Document the roles and responsibilities for maintaining and testing the plans,
  • Test the plans on a periodic basis to ensure adequacy and effectiveness, and
  • Maintain an exit strategy, including a pool of comparable service providers.

Due Diligence On Third Party Service Providers

As discussed earlier, the overall due diligence process includes a review of the service provider with respect to the following important aspects –

1. Business background, reputation, and strategy,
2. Financial performance and condition, and
3. Operations and internal controls.

1. Business Background, Reputation And Strategy

• Financial institutions should review the following for a prospective service provider –
  • Status in the industry,
  • Corporate history and qualifications, and experience in providing the proposed service.
  • Background and reputation of the provider and its principals,
  • Check program for its employees.
  • Business model, including its business strategy and mission, service philosophy, quality initiatives, and organizational policies
  • Resiliency and adaptability of the business model
• Financial institutions should check the service provider’s references to ascertain its performance record and verify any required licenses and certifications.
• Financial institutions should also verify whether there are any pending legal or regulatory compliance issues (for example, litigation, regulatory actions, or complaints) that are associated with the prospective service provider and its principals.

2. Financial Performance And Condition

• Financial institutions should review the financial condition of the service provider and its closely-related affiliates. The financial review may include –
  • The service provider’s most recent financial statements and annual report with respect to outstanding commitments, capital strength, liquidity and operating results.
  • The service provider’s sustainability, including factors such as the length of time that the service provider has been in business and their market share for a given service.
  • The potential impact of the financial institution’s business relationship on the service provider’s financial condition.
  • The service provider’s commitment both in terms of financial and staff resources
  • The adequacy of the service provider’s insurance coverage.
  • The adequacy of the service provider’s review of the financial condition of any subcontractors.
  • Other current issues the service provider may be facing that could affect future financial performance

3. Operations And Internal Controls

• Financial institutions are responsible for ensuring that services provided by service providers comply with applicable laws and regulations and are consistent with safe-and-sound banking practices. Some or all of the following may need to be reviewed –
  • Internal controls,
  • Facilities management (such as access requirements or sharing of facilities),
  • Training, including compliance training for staff,
  • Security of systems (for example, data and equipment),
  • Privacy protection of the financial institution’s confidential information,
  • Maintenance and retention of records,
  • Business resumption and contingency planning,
  • Systems development and maintenance,
  • Service support and delivery,
  • Employee background checks, and
  • Adherence to applicable laws, regulations, and supervisory guidance.

Contract Topics And Provisions

The elements of well-defined contracts and service agreements include –

Contracts should clearly define the rights and responsibilities of each party, including the following –

1. Scope-

• Contracts should clearly define the rights and responsibilities of each party, including the following –
  • Support, maintenance, and customer service,
  • Contract timeframes,
  • Compliance with applicable laws, regulations, and regulatory guidance,
  • Training of financial institution employees,
  • The ability to subcontract services,
  • The distribution of any required statements or disclosures to the financial institution’s customers,
  • Insurance coverage requirements; and
  • Terms governing the use of the financial institution’s property, equipment, and staff.

2) Cost and compensation –

• Contracts should describe the compensation, variable charges, and any fees to be paid for non-recurring items and special requests.
• Agreements should also address which party is responsible for the payment of any legal, audit, and examination fees related to the activity being performed by the service provider.
• Agreements should address the party responsible for the expense, purchasing, and maintenance of any equipment, hardware, software or any other item related to the activity being performed by the service provider.
• In addition, financial institutions should ensure that any incentives provided in contracts do not provide potential incentives to take imprudent risks on behalf of the institution.

3)  Right to audit –

• Agreements may provide for the right of the institution to audit the service provider and/or to have access to audit reports. Agreements should define the types of audit reports the financial institution will receive and the frequency of the audits and reports.

4)  Establishment and monitoring of performance standards –

• Agreements should define measurable performance standards for the services or products being provided.

5) Confidentiality and security of information –

• Information security measures for outsourced functions should be viewed as if the activity were being performed by the financial institution and afforded the same protections.
• Financial institutions have a responsibility to ensure service providers take appropriate measures designed to meet the objectives of the information security guidelines within Federal Financial Institutions Examination Council (FFIEC) guidance, as well as comply with section 501(b) of the Gramm-Leach-Bliley Act.
• Service agreements should also address service provider use of financial institution information and its customer information. Information made available to the service provider should be limited to what is needed to provide the contracted services. Service providers may reveal confidential supervisory information only to the extent authorized under applicable laws and regulations.
• If service providers handle any of the financial institution customer’s Nonpublic Personal Information (NPPI), the service providers must comply with applicable privacy laws and regulations. Financial institutions should require notification from service providers of any breaches involving the disclosure of NPPI data. The security of, retention of, and access to NPPI data should be addressed in any contracts with service providers. When a breach or compromise of NPPI data occurs, financial institutions have legal requirements that vary by state and these requirements should be made part of the contracts between the financial institution and any service provider that provides storage, processing, or transmission of NPPI data.

6) Ownership and license –

• Agreements should define the ability and circumstances under which service providers may use financial institution property inclusive of data, hardware, software, and intellectual property.
• Agreements should address the ownership and control of any information generated by service providers.
• If financial institutions purchase software from service providers, escrow agreements may be needed to ensure that financial institutions have the ability to access the source code and programs under certain conditions.

8) Indemnification –

• Agreements should provide for service provider indemnification of financial institutions for any claims against financial institutions resulting from the service provider’s negligence.

9)  Default and termination –

• Agreements should define events of a contractual default, list of acceptable remedies, and provide opportunities for curing default.
• Agreements should also define termination rights, including change in control, merger or acquisition, increase in fees, failure to meet performance standards, failure to fulfill the contractual obligations, failure to provide required notices, and failure to prevent violations of law, bankruptcy, closure, or insolvency.
• Contracts should include termination and notification requirements that provide financial institutions with sufficient time to transfer services to another service provider.
• Agreements should also address a service provider’s preservation and timely return of financial institution data, records, and other resources.

10)  Dispute resolution –

• Agreements should include a dispute resolution process in order to expedite problem resolution and address the continuation of the arrangement between the parties during the dispute resolution period.

11)  Limits on liability –

• The contract might allow service providers to contractually limit their liability, if the board of directors and senior management of a financial institution approve so.

12)  Insurance –

• The contract should specify that service providers have adequate insurance and provide financial institutions with proof of insurance, and also that they should notify financial institutions when there is a material change in their insurance coverage.

13)  Customer complaints –

• Agreements should specify the responsibilities of financial institutions and service providers related to responding to customer complaints.
• If service providers are responsible for customer complaint resolution, agreements should provide for summary reports to the financial institutions that track the status and resolution of complaints.

14) Business resumption and contingency plan of the service provider –

• Agreements should address the continuation of services provided by service providers in the event of operational failures.
• Agreements should address service provider responsibility for backing up information and maintaining disaster recovery and contingency plans.
• Agreements may include a service provider’s responsibility for testing of plans and providing testing results to financial institutions.

15) Foreign-based service providers –

• For agreements with foreign-based service providers, financial institutions should consider including express choice of law and jurisdictional provisions that would provide for the adjudication of all disputes between the two parties under the laws of a single, specific jurisdiction. Such agreements may be subject to the interpretation of foreign courts relying on local laws.
• Financial institutions should seek legal advice regarding the enforceability of all aspects of proposed contracts with foreign-based service providers and the other legal ramifications of such arrangements.

16) Subcontracting –

• If agreements allow for subcontracting, the same contractual provisions should apply to the subcontractor.
• Contract provisions should clearly state that the primary service provider has overall accountability for all services that the service provider and its subcontractors provide.
• Agreements should define the services that may be subcontracted, the service provider’s due diligence process for engaging and monitoring subcontractors, and the notification and approval requirements regarding changes to the service provider’s subcontractors.
• Additionally, agreements should include the service provider’s process for assessing the subcontractor’s financial condition to fulfill contractual obligations