The Federal Reserve recently added to the growing body of regulatory guidance on the topic of financial institution management of service provider outsourcing relationships by issuing its Guidance on Managing Outsourcing Risk (the Guidance). The Guidance applies to financial institutions of any asset size under the supervision of the Federal Reserve, including state member banks, banks and savings and loan holding companies (and their nonbank subsidiaries), and foreign banking organizations’ U.S. operations.
On January 9, 2014, from 12 p.m.to 1 p.m. ET, Ballard Spahr will conduct a webinar regarding risk management of third-party relationships by financial institutions. The registration form is now available.
The Guidance is intended to supplement, not replace, existing guidance pertaining to the outsourcing of bank internal functions to third parties, and specifically including technology service providers. As noted in its accompanying press release, the Guidance relates to third-party service providers— including consultants. The term “service provider” is defined broadly, encompassing virtually any entity entering into a contractual relationship with a financial institution to provide business functions or activities, such as accounting, auditing, loan review, compliance, and risk management.
The guidance touches on some of the familiar risks of using service providers to perform operational functions. It also notes the responsibilities of the board of directors and senior management in establishing and overseeing the execution of appropriate risk management and related compliance structures complaint with applicable law and regulation, as well as safety and soundness considerations. In addition, it discusses elements the regulator believes to be typically associated with effective risk management programs, including:
Pre-decision outsourcing risk assessments and assessment of internal oversight capabilities
Due diligence and selection of service providers, based on review of business background and reputation, financial condition, and quality of operational and internal controls
Considerations and advice regarding contractual elements and provisions, including review by legal counsel before execution
Incentive compensation review and related considerations
Structures for oversight, use of performance metrics, and monitoring of service providers, including with respect to adequacy of their financial condition and internal control environment
Business continuity, disaster recovery, and contingency planning issues
A few more specialized risk considerations, such as risks attendant to foreign based service providers, and special considerations for outsourcing internal audit functions
The Guidance is less comprehensive than the risk management guidance for third-party relationships published by the Office of the Comptroller of the Currency (OCC) in October, although is it is thematically similar. (The OCC’s guidance was the subject of a previous alert.) This may be due partly to the fact that the Guidance supplements existing Federal Reserve guidance in this area, versus the OCC guidance, which rescinds certain longstanding OCC guidance.
Both sets of guidance agree that risk management processes should be commensurate with the risk and complexity of third-party relationships. The OCC, however, generally requires more extensive and rigorous oversight of relationships that involve critical activities. By contrast, the Federal Reserve seems to recognize that at least for community banks— if the numbers of such relationships are few and with highly reputable service providers—simpler risk management programs employing fewer considerations may be appropriate, even where critical business activities are being outsourced.