View original document

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

BOARD OF GOVERNORS
OF THE

FEDERAL RESERVE SYSTEM
WASHINGTON, D.C. 20551

DIVISION OF BANKING
SUPERVISION AND REGULATION
DIVISION OF CONSUMER AND
COMMUNITY AFFAIRS

SR 13-19
CA 13-21
December 5, 2013
TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE
BANK AND INSTITUTIONS SUPERVISED BY THE FEDERAL RESERVE
SUBJECT: Guidance on Managing Outsourcing Risk
Applicability: This guidance applies to all financial institutions supervised by the Federal
Reserve, including those with $10 billion or less in consolidated assets.
The Federal Reserve is issuing the attached Guidance on Managing Outsourcing Risk to
assist financial institutions 1 in understanding and managing the risks associated with outsourcing
a bank activity to a service provider to perform that activity. This Federal Reserve guidance
builds upon the FFIEC Outsourcing Technology Services Booklet (2004) that addresses
outsourced information technology services and remains in effect. 2
The attached guidance addresses the characteristics, governance, and operational
effectiveness of a financial institution’s service provider risk management program for
outsourced activities beyond traditional core bank processing and information technology
services. Further, this guidance applies to all service provider relationships regardless of the type
of bank activity that is outsourced. In summary, the guidance describes
•

Risks from the Use of Service Providers: discusses potential risks arising from service
provider relationships.

•

Board of Directors and Senior Management Responsibilities: outlines supervisory
expectations for a financial institution’s board of directors and senior management in
managing risks associated with service provider relationships.

1

For purposes of this guidance, “financial institutions” refers to state member banks, bank and savings and loan
holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations.

2

See FFIEC Outsourcing Technology Services (June 2004) at http://ithandbook.ffiec.gov/it-booklets/outsourcingtechnology-services.aspx.

Page 1 of 2

•

Service Provider Risk Management Programs: describes the broad framework and
processes to effectively manage risks associated with service provider relationships.

Reserve Banks are asked to distribute this guidance to supervised financial institutions, as
well as to appropriate supervisory and examination staff. Questions on the attached guidance
should be addressed to:
•

Division of Banking Supervision and Regulation: Adrienne Haden, Assistant Director,
Operations and Information Technology Policy, at (202) 452-2058; or Neha Contractor,
Supervisory Financial Analyst, Operations and Information Technology Policy, at
(202) 973-7399.

•

Division of Consumer and Community Affairs: Phyllis L. Harwell, Assistant Director,
Consumer Compliance, at (202) 452-3658.

In addition, questions may be sent via the Board’s public website. 3

Maryann F. Hunter
Acting Director
Division of Banking Supervision
and Regulation

Sandra F. Braunstein
Director
Division of Consumer
and Community Affairs

Attachment:
• Guidance on Managing Outsourcing Risk
Cross-References:
• SR letter 13-1/CA letter 13-1, “Supplemental Policy Statement on the Internal Audit
Function and Its Outsourcing”

3

•

SR letter 11-7, “Guidance on Model Risk Management”

•

SR letter 06-4, “Interagency Advisory on the Unsafe and Unsound Use of Limitations on
Liability Provisions in External Audit Engagement Letters”

•

SR letter 03-5, “Amended Interagency Guidance on the Internal Audit Function and its
Outsourcing”

See http://www.federalreserve.gov/apps/contactus/feedback.aspx.
Page 2 of 2