The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D.C. 20551 DIVISION OF BANKING SUPERVISION AND REGULATION DIVISION OF CONSUMER AND COMMUNITY AFFAIRS SR 13-19 CA 13-21 December 5, 2013 TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK AND INSTITUTIONS SUPERVISED BY THE FEDERAL RESERVE SUBJECT: Guidance on Managing Outsourcing Risk Applicability: This guidance applies to all financial institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets. The Federal Reserve is issuing the attached Guidance on Managing Outsourcing Risk to assist financial institutions 1 in understanding and managing the risks associated with outsourcing a bank activity to a service provider to perform that activity. This Federal Reserve guidance builds upon the FFIEC Outsourcing Technology Services Booklet (2004) that addresses outsourced information technology services and remains in effect. 2 The attached guidance addresses the characteristics, governance, and operational effectiveness of a financial institution’s service provider risk management program for outsourced activities beyond traditional core bank processing and information technology services. Further, this guidance applies to all service provider relationships regardless of the type of bank activity that is outsourced. In summary, the guidance describes • Risks from the Use of Service Providers: discusses potential risks arising from service provider relationships. • Board of Directors and Senior Management Responsibilities: outlines supervisory expectations for a financial institution’s board of directors and senior management in managing risks associated with service provider relationships. 1 For purposes of this guidance, “financial institutions” refers to state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations. 2 See FFIEC Outsourcing Technology Services (June 2004) at http://ithandbook.ffiec.gov/it-booklets/outsourcingtechnology-services.aspx. Page 1 of 2 • Service Provider Risk Management Programs: describes the broad framework and processes to effectively manage risks associated with service provider relationships. Reserve Banks are asked to distribute this guidance to supervised financial institutions, as well as to appropriate supervisory and examination staff. Questions on the attached guidance should be addressed to: • Division of Banking Supervision and Regulation: Adrienne Haden, Assistant Director, Operations and Information Technology Policy, at (202) 452-2058; or Neha Contractor, Supervisory Financial Analyst, Operations and Information Technology Policy, at (202) 973-7399. • Division of Consumer and Community Affairs: Phyllis L. Harwell, Assistant Director, Consumer Compliance, at (202) 452-3658. In addition, questions may be sent via the Board’s public website. 3 Maryann F. Hunter Acting Director Division of Banking Supervision and Regulation Sandra F. Braunstein Director Division of Consumer and Community Affairs Attachment: • Guidance on Managing Outsourcing Risk Cross-References: • SR letter 13-1/CA letter 13-1, “Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing” 3 • SR letter 11-7, “Guidance on Model Risk Management” • SR letter 06-4, “Interagency Advisory on the Unsafe and Unsound Use of Limitations on Liability Provisions in External Audit Engagement Letters” • SR letter 03-5, “Amended Interagency Guidance on the Internal Audit Function and its Outsourcing” See http://www.federalreserve.gov/apps/contactus/feedback.aspx. Page 2 of 2