Safeguarding Customer Information
About Outsourcing
Today, the data processing environment of many banks consists of not only a core processing system, but also includes several separate and distinct supplemental transaction processing systems (e.g., ATM/debit card, ACH/wire transfer, telephone banking, and personal computer/Internet banking systems). Most banks have also found it necessary to deploy local-area networks, wide-area networks, and/or Internet connectivity over the past several years.
The increasing complexity and interconnectivity of all such bank-related systems, together with the difficulty of hiring and retaining staff with networking and Internet expertise, has led to increased use of third-party data processing service providers and network consultants. Simultaneously, the dynamics of the financial service provider and software vendor industries have increased with new market entrants and heightened
merger/acquisition activity.
Prior to the emergence of the century date change issue in the late 1990s, regulatory examinations specifically focused on the IT environments and controls of only those banks that conducted processing of core applications (e.g., deposits, loans, general ledger, etc.) on in-house computer systems. Those institutions that outsourced their core application processing were generally subject to only cursory evaluations of their information technology controls.
Preparation for the century date change event, current industry trends, and the regulatory emphasis on risk-focused supervision, led to a change in the regulatory approach to information technology examinations in all sizes of banks. Most importantly, supervisory processes now routinely include an evaluation of IT controls and activities at all institutions, whether core processing occurs in-house or is outsourced to an external party. Furthermore, a consensus has emerged that the IT-related risks inherent in a bank’s outsourced activities are substantially the same as those associated with processing activities conducted in-house. In fact, risk in an outsourced environment may be greater given the lesser degree of direct control exercisable by the client over operations at an external service provider.
These documents outline the key elements of and regulatory expectations for an institution’s risk management of relationships with external servicers, vendors, and/or consultants. Briefly, these include:
Risk Assessment: Banks should identify and assess the key risks and the potential mitigating controls associated with the activities to be outsourced. Bank management and directorates are responsible for determining the minimum control elements that must be in place to reduce inherent risk to prudent residual levels.
Due Diligence in Selection of Service Provider: Banks should review/analyze the operational competence, internal control environment, and financial stability of service provider candidates during the selection process.
Written Contracts: A written contract or service agreement between the servicer and the client bank should be executed. It should outline the terms, responsibilities, liabilities, and service level agreements in detail commensurate with the scope and risks associated with the services to be provided. Contracts should provide assurances for performance, reliability, security, confidentiality, and reporting.
Ongoing Service Provider Monitoring/Oversight: Banks should implement oversight policies and practices to monitor each servicer’s controls, financial condition, and performance commensurate with the criticality of the services provided. Control information to be reviewed can include data integrity and security controls, availability controls within the servicer’s infrastructure and through its disaster recovery planning, and internal and/or external audit reports. Banks are expected to document the analyses conducted and the conclusions reached and reported to senior management and/or the directorate.
Drawing from the referenced supervisory statements, Federal Reserve examiners will employ the following principles in evaluating an institution’s vendor management practices.
An institution’s IT-related risk controls over outsourced processing should be equivalent to those needed in an in-house processing environment.
While the issued regulatory guidance directly addresses outsourced information and data processing, the risk management principles are also generally applicable to relationships with key software vendors and their products purchased for in-house use and with IT-related consultants.
The formality of vendor management practices for any particular servicer, vendor, and/or external consultant should be commensurate with the criticality of the information and/or transactions processed and the potential for impact on the institution’s traditional banking risks (i.e., credit, market, liquidity, operational, legal, and reputational risks).
An institution’s board of directors and executive management are responsible for understanding and assessing risk and for determining proper controls. While the board and management can delegate the technical implementation of IT controls to servicers and consultants, they cannot delegate the responsibility for periodic IT risk assessments, for determining prudent control policies and standards, and for monitoring the control environment. Ultimately, the client bank in a servicing arrangement retains responsibility and accountability for the integrity, security, and availability of its data.
Frequently Asked Questions
1. Are all banks, including those with in-house core application processing, expected to have a formal vendor management program in place?
Yes. All banks are expected to include vendor management practices in their IT-related policies commensurate with the criticality and potential safety and soundness impact of the services outsourced. Clearly, those banks that outsource core application processing should have extensive written procedures. Those institutions with in-house core application processing should have procedures in place to evaluate the performance, stability, and viability of the core application software vendor. Further, regardless of the core application processing environment, vendor management practices should be in place for third-party servicers and/or software providers that facilitate the capture, transmission, and/or settlement of transactional inputs (e.g., ATM/debit card, ACH/wire transfer, telephone banking, and Internet banking transactions).
2. Do regulators expect that a client bank’s legal counsel review each service contract prior to execution?
Vendor management guidelines do suggest that an institution’s legal counsel review service contracts prior to execution. Clearly, the intent of the guidelines is to ensure that both parties, particularly the client bank, understand their obligations, rights, and remedies under a proposed service contract.
In a community bank setting, legal review by counsel is likely warranted where the proposed services are mission critical and/or have the potential to significantly impact the bank’s traditional risk elements (credit, market, liquidity, operations, legal, reputational). Other factors to consider include the complexity of the services in question and the use of standard versus custom provisions in the proposed agreement.
3. Do regulators expect service contracts to include provisions granting a client bank access to a servicer’s control policies and procedures, third-party control reviews or audits, contingency plans and test results, and financial performance data?
Vendor management guidelines clearly stipulate that client banks gather and analyze such information in reaching conclusions during the servicer selection and ongoing monitoring processes. Accordingly, it is prudent to confirm the servicer’s periodic delivery of such items under provisions of the service agreement/contract. A service provider’s refusal to address such items in a service contract, and particularly, one’s refusal to provide such items under any circumstances, should negatively influence a bank’s decision to commence or continue any service arrangements with that servicer.
Also see Appendix D-2 to Regulation H containing guidelines for the inclusion of customer information safekeeping provisions within contracts with information and data processing service providers.
4. Relative to ongoing monitoring of vendor relationships, does periodic receipt and retention of vendor information satisfy regulatory expectations?
Generally, no; simple receipt and retention of such information is insufficient to comply with regulatory guidelines. The information should be analyzed and conclusions reached regarding:
The servicer’s compliance with the performance provisions of the service contract;
The adequacy of the servicer’s control environment and contingency planning;
The adequacy of and the findings from an independent review/audit of the servicer’s control environment; and
The ongoing financial stability/viability of the servicer.
This process should be undertaken at least annually, and the conclusions reached should be documented and presented to senior management and/or the directorate.
5. Are community banks expected to participate directly in the IT-related audits and/or disaster recovery testing of their critical or significant service providers?
Generally, no; participation by every client in a servicer’s IT-related audits and/or disaster recover testing is not feasible. However, indirect participation through a national or regional user group is beneficial where applicable. Relative to an independent audit/review of a servicer’s control environment, client banks should follow-up with the servicer on any significantly adverse findings/exceptions. Relative to contingency planning, client banks should approach their own contingency planning from two perspectives. First, what actions must the client take to reestablish processing should the servicer be forced to relocate to an alternative processing site. Second, what actions must be taken should the client bank be forced to relocate to an alternative operating site.
6. What are the vendor management-related regulatory expectations for a community bank’s use of a local consultant in establishing and administrating a LAN and/or WAN?
First and foremost is the necessity for the client bank’s management to clearly define the desired purposes and functionality of the network and to establish related control policies and standards. Such definitions and standards are to govern the general deployment and configuration of network hardware and applications. They should also govern the integrity, security, and availability of network data and programs commensurate with the criticality of information and processing associated with the network. (Note: the accessibility of non-public customer information over or on the network requires that a minimum of security access controls be in place.)
Community banks’ use of local network consultants for information and advice relative to the technical aspects and potential risks of network deployment is common. Additionally, such consultants often perform the installation of network hardware and software. However, the actual deployment and control standards decided upon must remain the responsibility of the bank’s directorate and management team. As the ultimate administrators of the bank’s affairs, management and the directorate cannot outsource the responsibility and accountability for such decisions.
Recent examination experience reveals that many local network consultants prefer to provide technical and administrative services based on an informally agreed upon cost-per-hour basis, without a written service agreement/contract. While a written contract outlining the services to be provided is preferable, examiners have not been highly critical of such situations and have recommended, at a minimum, that a nondisclosure or confidentiality agreement be executed.
1
American Bankers Association