1 / 22

Due Diligence - The Regulator’s Perspective

Due Diligence - The Regulator’s Perspective. ABA Telephone/Webcast Briefing August 14, 2001. Cynthia Bonnette, Assistant Director FDIC Bank Technology Group. Presentation Overview. Outsourcing trends and developments Highlights of the FFIEC’s outsourcing guidance

menefer
Download Presentation

Due Diligence - The Regulator’s Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group

  2. Presentation Overview • Outsourcing trends and developments • Highlights of the FFIEC’s outsourcing guidance • FDIC’s brochures on technology outsourcing • Regulatory oversight of service providers • Outsourcing-related provisions of GLBA

  3. Outsourcing Trends • TowerGroup estimates banks outsource over 85% of their information technology • Significant technical expertise and skills are required in the current environment • The cost to license software or purchase services can be lower than the cost to develop and maintain a proprietary system • Time to market and technology dynamics require rapid development and enhancement

  4. Outsourcing Trends • What’s new about outsourcing today? • Outsourced functions include mission critical and customer-facing applications • Vendors may be new companies--less familiar with the financial services industry • Niche providers and specialization often results in multiple vendor relationships • Industry dynamics create new challenges for vendor oversight

  5. FFIEC Guidance • “Risk Management of Outsourced Technology Services”-- FFIEC Guidance, November 2000 • Key elements of the risk management process: • Risk assessment • Due diligence in selecting service provider • Contract Requirements • Oversight of service provider Regardless of the decision to outsource, the bank remains ultimately responsible.

  6. FDIC’s Outsourcing Brochures • FDIC recognized that community banks may face challenges in achieving the goals of the FFIEC guidance • Internal and external experts were consulted to identify areas where additional information would be useful • Goal: Provide practical information that “maps back” to the FFIEC guidance

  7. FDIC’s Outsourcing Brochures • Three topics: • Selecting a Service Provider • Service Level Agreements • Managing Multiple Service Providers • Why did we choose these topics? • Involvement of key players • External experts (Gartner Group) • Industry representatives • FDIC experts in IT and contracting • Technology companies

  8. FDIC’s Outsourcing Brochures • White papers were drafted and shared with the industry • The content was revised and re-circulated • Documents became available on June 4, 2001 • Bulletin announcing the brochures was issued 6/4/01 • Documents are available online at www.fdic.gov • Printed brochures are available upon request

  9. FDIC’s Outsourcing Brochures • What they are… • Reference documents that a banker may use in relevant situations • Optional tools/resources • What they aren’t… • Official guidance • Examination procedures

  10. Selecting a Service Provider • Objectives of the selection process • Identifying potential vendors • Evaluation and selection • Negotiating the contract • Appendix on using an RFP

  11. Selecting a Service Provider - Tips • Negotiate flexibility - e.g., shorter term contracts • Be specific in defining responsibilities • Use institution-wide approach • Address resource allocation • Include service level agreements • Remember exit/termination clauses • Include legal counsel in the process • Don’t rush

  12. Service Level Agreements • Definition and overview of SLAs • Four steps for developing SLAs • Tips for drafting SLAs • Tips for managing SLAs • Appendix on SLA development - details • Appendix with sample SLA “If you can’t measure it, you can’t manage it.” --Peter Drucker

  13. Service Level Agreements - Tips • Four step process to developing SLAs: • Determining objectives • How does the outsourced service fit into the bank’s strategic plan? (e.g., customer service) • Defining requirements • What are the operating/performance needs? (e.g., availability) • Setting target measurements • What metrics can be used? (e.g., % “up time”) • Establishing accountability

  14. Managing Multiple Provider Relationships • Examples of multiple provider relationships and related challenges • Lead-contractor structure • Inter-provider agreements • Tips for coordinating multiple providers • Appendix with tips for agreement terms and conditions

  15. Managing Multiple Provider Relationships - Tips • Contracts should explicitly state: • Roles and responsibilities • When and how subcontractors will be used • Consider security and insurance implications • When subs are involved, determine the bank’s legal relationship and “privity” • Ensure effective communication between all relevant parties

  16. Relationship to Regulatory Guidance and BITS Framework • The outsourcing brochures are NOT official guidance • Can be used to compliment the existing guidance and provide supplemental information and “good ideas” • Can be used as educational material or practical examples

  17. Regulatory Oversight of Service Providers • Authority comes from the Bank Service Company Act • Interagency exams are coordinated by the FFIEC Information Systems Subcommittee • MultiRegional Data Processing Servicer Program • Shared Application Software Review Program • Recently, Internet banking service providers have been included in the MDPS program • Onsite exams are staffed by examiners from all agencies and a joint report is produced

  18. Regulatory Oversight of Service Providers • Copies of the exam report can be obtained by client banks onlyfrom the regional office of their federal regulator • Exam reports are not a substitute for due diligence and oversight by bank management (e.g., regular receipt of independent audits and security reviews) • The scope and frequency of the exams should be considered when using the reports as a resource

  19. GLBA Implications for Outsourcing • GLBA Section 501(b) Standards for Protecting Customer Data • Each bank shall: • Exercise appropriate due diligence in selecting its service providers • Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines

  20. GLBA Implications for Outsourcing • Each Bank shall (continued)… • Monitor (where indicated by the bank’s risk assessment) its service providers to confirm that they have satisfied their obligations • Review audits, summaries of test results • The extent of monitoring should be based on risk assessment

  21. GLBA Implications for Outsourcing The guidelines define a service provider broadly: “Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the bank.”

  22. Questions & Discussion Cynthia A. Bonnette, Assistant DirectorFDIC Bank Technology Group550 17th Street, NW, Room H-1005Washington, DC 20429202-736-0528cybonnette@fdic.gov

More Related