Home > Third-Fourth Quarter 2014 > Managing Service Provider Relationships and Risks: Questions Concerning Federal Reserve Guidance on Managing Outsourcing Risk

Managing Service Provider Relationships and Risks: Questions Concerning Federal Reserve Guidance on Managing Outsourcing Risk
by Roger Pittman, Director of Examinations, Supervision and Regulation, Federal Reserve Bank of Atlanta

The Board of Governors of the Federal Reserve System issued supervisory guidance on managing outsourcing risk on December 5, 2013.1 This article covers some of community bankers’ most frequently asked questions regarding the guidance as well as the supervisory process for reviewing a bank’s outsourcing arrangements.


QuestionWas there existing guidance on this topic? Why did the Federal Reserve see a need to issue this guidance?


Answer In 2004, the Federal Financial Institutions Examination Council (FFIEC) issued the booklet “Outsourcing Technology Services” as part of its Information Technology Examination Handbook,2 and the Federal Reserve’s 2013 guidance expands upon this existing guidance. The Federal Reserve’s guidance places particular emphasis on the importance of sound risk management practices for all outsourcing relationships (i.e., not just technology services).


Question What is the difference between vendors, third-party suppliers, contractors, and service providers?


Answer Terms such as vendor, third-party supplier, contractor, and service provider can be used to signify a specific type of product, service, or activity that is provided by a third-party affiliate or nonaffiliated entity to a financial institution. Although these terms are sometimes used interchangeably, the guidance uses service provider because it is relatively all-encompassing and focuses on relationships in which business functions or activities are provided to financial institutions. The guidance also defines a service provider as an entity that may be a bank or a nonbank, affiliated or nonaffiliated, regulated or nonregulated, and domestic or foreign.


Question Which financial institutions are subject to the Federal Reserve’s guidance?


Answer The Federal Reserve’s guidance applies to all state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations. The Office of the Comptroller of the Currency (OCC)3 and the Federal Deposit Insurance Corporation (FDIC)4 have issued similar guidance for institutions that they supervise.


Question If a community bank has already implemented risk management practices for outsourcing arrangements to its non–information technology relationships, can the institution assume that it is in compliance with the guidance?


Answer A financial institution’s program may be very close to meeting the 2013 guidance if the current program covers all outsourcing arrangements,5  but it should be reviewed for any existing gaps. Just like the FFIEC’s guidance on outsourcing of information technology, the Federal Reserve’s guidance addresses the core elements of a service provider risk management program as generally including risk assessments, due diligence and selection of service providers, contract provisions, oversight and monitoring, business continuity and contingency plans, and foreign-based service providers. However, the guidance has been updated to include new considerations such as incentive compensation, suspicious activity report filing, internal audit, and model risk management activities.


Question How frequently should risk assessments be conducted?


Answer A financial institution should consider the criticality of the service and the level of risk when determining the frequency of conducting risk assessments of outsourced business functions or activities. Services with higher levels of risk or greater criticality should be subject to more frequent risk assessment and may also warrant certain types of ongoing monitoring. Risks may also need to be reassessed if the relationship between the service provider and the institution changes.


Question Are service providers examined, and can banks receive a copy of the reports?


Answer Not all service providers are examined, but internal controls can be assessed by reviewing audits or reports such as the American Institute of Certified Public Accountants’ Service Organization Control 2 Report.6 Technology service providers (TSPs) are examined jointly by the Federal Reserve, the FDIC, and the OCC (collectively referred to as the agencies). Information technology–related examinations of TSPs are conducted according to the guidelines contained in the “Supervision of Technology Service Providers” booklet, which is part of the FFIEC Information Technology Examination Handbook.7


While conducting supervisory activities, examiners obtain lists of regulated financial institutions that are serviced by TSPs. The lists of customers are used to identify and validate regulated financial institutions that are entitled to copies of the reports. The agencies then distribute the reports to serviced financial institutions, either automatically or upon request. A financial institution may request a copy of the examination report from the institution’s primary federal regulator. However, only institutions that have a valid and current contract with the TSP as of the date of the examination will receive the report. The TSP examination reports remain the joint property of the agencies and are provided to financial institutions for their internal and confidential use.


Question How should a community bank implement the guidance? What should be completed before the examination?


Answer A community bank should begin by completing a gap analysis to identify whether its current program needs to be adjusted to meet supervisory expectations. An implementation plan should then be developed to address any identified gaps. The plan should include activities, timelines for completion, a list of responsible parties, and status reporting requirements.


Examiners will review the gap analysis and the implementation plan during the initial examination and assess whether they are appropriate for the community bank. During subsequent reviews, examiners will assess progress in executing the implementation plan and identify any issues.


Question What if bankers have additional questions?


Answer The Federal Reserve held two Ask the Fed sessions, on March 5 and 21, 2014, where bankers were able to ask questions concerning the guidance. Bankers can listen to archives of these presentations since all Ask the Fed sessions are recorded and can be accessed online by financial institutions. Visit www.askthefed.org to sign up to view the presentation and hear the sessions. Bankers may also direct questions to bank supervision staff at their local Reserve Banks.


Back to top

System Outreach

The Federal Reserve System provides various resources for training, services, and more.

Learn more »

Policy and Guidance

Connect to various Federal Reserve resources, including SR and CA Letters, regulations, request for comment on rulemaking proposals, the latest Federal Reserve System speeches, and more.

Learn more »


Community Banking Connections is a quarterly Federal Reserve System publication available electronically or in print.

Learn more »


We want to hear from you! Please share with us any comments, suggestions, or topics that you would like to see on our website or in our publications.

Learn more »