Columbia Law School
Sky Blog
On December 5, 2013, the Board of Governors of the Federal Reserve System (“Board”) released Supervisory Letter SR 13-19, “Guidance on Managing Outsourcing Risk” (“Guidance”). The Guidance is the most recent publication in a series of supervisory and enforcement actions by federal regulators of financial institutions clarifying regulatory expectations with respect to outsourcing and selection and management of third party service providers. The Guidance describes the heightened regulatory scrutiny that now applies to the outsourcing activities of covered financial institutions. Accordingly, financial institutions subject to the Guidance should review, and update as appropriate, their policies and procedures for evaluating, engaging and monitoring outsourced activities and third party service provider relationships, taking into account the expectations expressed in the Guidance.
Scope of the Guidance
The Guidance applies to all financial institutions (state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries) and U.S. operations of foreign banking organizations) supervised by the Board, regardless of size. For purposes of the Guidance, the Board broadly defines “service providers” to include all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities. The Guidance does not replace, but is supplemental to, other regulatory guidance on third-party risk applicable to the covered financial institutions. In fact, the Guidance refers financial institutions to other specific regulatory guidance with respect to specific topics.
Overview of Board Outsourcing Risk Management Expectations
The Guidance states that financial institutions are responsible for ensuring that services provided by service providers comply with applicable laws and regulations and are consistent with safe-and-sound banking practices, and sets forth the Board’s expectations on how financial institutions should manage outsourcing decisions and relationships.
The Board expects each financial institution to develop and implement a “risk-based” service provider risk management program that is “commensurate with the level of risk” raised by the financial institution’s outsourcing activities. Accordingly, each financial institution should consider and identify the applicable risks that may arise in connection with outsourcing financial institution functions and monitor those risks during the course of an outsourcing relationship. Such risks include: compliance risks, concentration risks, reputational risks, country risks through foreign service providers, operational risks and legal risks.
Although this risk-based approach recognizes that the depth and formality of a financial institution’s service provider risk management program may depend on the nature and complexity of the outsourced activities, the Guidance articulates certain elements that are usually present in effective programs. These elements include the following, each of which is discussed in greater detail below: risk assessments, due diligence and selection of service providers, contract provisions and considerations, incentive compensation review, oversight and monitoring of service providers and business continuity and contingency plans. Accordingly, a financial institution should evaluate carefully any proposal to deviate from any of the elements highlighted by the Guidance.
Risk Assessments. Before outsourcing an activity, a financial institution should determine whether outsourcing is consistent with the financial institution’s overall strategy. Following such a determination, a financial institution should assess the benefits and risks of outsourcing the particular activity, including the associated service provider risk and cost. A financial institution should also consider the availability of qualified, experienced service providers, and the financial institution’s ability to adequately manage and oversee the outsourcing. A financial institution should review and update, as appropriate, its risk assessments at intervals consistent with the financial institution’s service provider risk management plan.
Due Diligence and Selection of Service Providers. A financial institution should conduct due diligence before engaging a prospective service provider. The Guidance acknowledges that the level and depth of due diligence may depend on certain variables, including the scope, complexity and importance of the outsourcing arrangement. However, in general, due diligence should include a review of the prospective service provider’s:
- background, reputation and strategy (including a review of the entity’s principals and ensuring appropriate background checks have been performed on the entity’s employees);
- financial performance and condition (including a review of the entity’s closely-related affiliates and determining the adequacy of the entity’s insurance coverage and the adequacy of the financial condition of any of the entity’s subcontractors); and
- operations and internal controls (including an evaluation of the entity’s standards, policies and procedures, such as the entity’s data security and privacy policies and business resumption and contingency planning policies, among others).
Contract Provisions and Considerations. The Guidance provides that the terms of service agreements should be defined in written contracts that have been reviewed by the financial institution’s legal counsel before execution. Although the Guidance provides that the nature of outsourced activity and the service provider’s strategy will determine the contract terms, the Guidance specifically identifies several elements that are included in well-defined contracts and service agreements, including scope, cost and compensation, audit rights, performance standards, confidentiality and data security, intellectual property rights, indemnification, default and termination, dispute resolution, liability limits, insurance, customer complaints, business continuity planning, foreign-based services and subcontracting.
Although many of the contractual elements identified in the Guidance are currently commonplace in financial institution service provider contracts, the Guidance also articulates certain contractual expectations that are often subject to contentious negotiations in the marketplace. For example, the Guidance provides that service contracts should require service providers to indemnify financial institutions resulting from the service provider’s simple negligence. (Interestingly, the guidance provided by the Office of the Comptroller of the Currency in this regard refers to indemnity against claims arising out of the provider’s failure to perform, i.e., a contractual breach standard.) Such a provision is likely to yield difficult discussions with service providers that attempt to limit indemnity obligations to a higher standard.
The Guidance emphasizes the importance of contractual provisions related to the protection of consumer information and the financial institution’s confidential information. A financial institution service provider should provide the same customer information protections as provided by the financial institution for its customers and a service provider’s security processes should map directly to the financial institution’s process. A service provider’s use of financial institution information and customer information should be limited to what is needed to provide the service. Contracts should also include provisions related to the security, retention of, and access to nonpublic personal information, if applicable, including the provision of data breach notices and obligations with respect to applicable laws in the event of a data breach.
Incentive Compensation Review. Financial institutions should have a process to review and approve incentive compensation arrangements in outsourcing contracts to ensure the service provider is not encouraged to take imprudent risks that could result in reputational damage and other risks, such as litigation risk.
Oversight and Monitoring of Service Providers. Financial institutions should have procedures to oversee and monitor their service providers on an ongoing basis. These procedures should include performance metrics to evaluate whether a service provider is performing at an acceptable level and designate personnel with sufficient expertise and stature to manage and oversee the outsourced arrangement. These procedures should also include risk-based reporting and monitoring at a frequency and level appropriate to the level of risk. Monitoring procedures should include on-going monitoring of the financial condition of the service provider and its significant subcontractors, assessment of the service provider’s internal controls and identification of circumstances where escalated oversight and monitoring of a service provider are triggered.
Business Continuity and Contingency Considerations. Financial institutions should have contingency plans for outsourced activities. Such plans should focus on critical services and consider alternatives where a service provider is not able to perform. Financial institutions should ensure that a service provider has an adequate and effective disaster recovery and business continuity plan for the contracted services that aligns with the financial institution’s plan, should document roles and responsibilities for maintaining and testing the service provider’s plan, should provide for periodic testing of the service provider’s plan and should maintain an exit strategy, including a pool of comparable replacement service providers if the service provider is unable to perform.
Additional Risk Considerations. The Guidance notes some additional areas of specific focus that financial institutions should consider where applicable, such as the outsourcing of suspicious activity reporting, use of foreign-based service providers, outsourcing of risk management functions and whether there are any prohibitions on a service provider performing certain functions for the financial institution, such as an outside auditor performing non-audit services for a public company client for whom it provides financial statement audits.
Responsibilities of Financial Institution Board and Senior Management
The Guidance clearly states that a financial institution’s use of service providers “does not relieve a financial institution’s board of directors and senior management of their responsibility to ensure that outsourced activities are conducted in a safe-and-sound manner and in compliance with applicable laws and regulations.” Specifically, the Guidance charges the board of directors or an executive committee of the board, with establishing and approving the financial institution’s policy governing the use of service providers, including a service provider risk management policy addressing risk assessments, due diligence, contract standards and considerations, service provider monitoring and business continuity and contingency planning. The Guidance also requires that a financial institution’s board of directors and senior management determine whether any limits on service provider liability are reasonable relative to the risks to the financial institution if the service provider fails to perform. Senior management is also responsible for ensuring that the board-adopted policies are appropriately executed, including regular reporting to the board on adherence to the policies. Such provisions may require financial institutions to modify their service provider contract approval processes to include board or senior management review in more circumstances than may historically have been the case.
The original post was published by Sidley Austin LLP on January 6, 2014 and is available here.