due diligence - the regulator’s perspective

Due Diligence - The Due Diligence - The Regulator’s PerspectiveRegulator’s Perspective

ABA Telephone/Webcast BriefingABA Telephone/Webcast Briefing

August 14, 2001August 14, 2001

Cynthia Bonnette, Assistant Cynthia Bonnette, Assistant DirectorDirector

FDIC Bank Technology GroupFDIC Bank Technology Group

Presentation OverviewPresentation Overview

Outsourcing trends and developmentsOutsourcing trends and developments Highlights of the FFIEC’s outsourcing Highlights of the FFIEC’s outsourcing

guidanceguidance FDIC’s brochures on technology FDIC’s brochures on technology

outsourcing outsourcing Regulatory oversight of service providersRegulatory oversight of service providers Outsourcing-related provisions of GLBAOutsourcing-related provisions of GLBA

Outsourcing TrendsOutsourcing Trends

TowerGroup estimates banks outsource TowerGroup estimates banks outsource over 85% of their information technology over 85% of their information technology

Significant technical expertise and skills are Significant technical expertise and skills are required in the current environmentrequired in the current environment

The cost to license software or purchase The cost to license software or purchase services can be lower than the cost to services can be lower than the cost to develop and maintain a proprietary systemdevelop and maintain a proprietary system

Time to market and technology dynamics Time to market and technology dynamics require rapid development and require rapid development and enhancementenhancement

Outsourcing TrendsOutsourcing Trends

What’s new about outsourcing today?What’s new about outsourcing today?– Outsourced functions include mission Outsourced functions include mission

critical and customer-facing applicationscritical and customer-facing applications– Vendors may be new companies--less Vendors may be new companies--less

familiar with the financial services industryfamiliar with the financial services industry– Niche providers and specialization often Niche providers and specialization often

results in multiple vendor relationshipsresults in multiple vendor relationships– Industry dynamics create new challenges Industry dynamics create new challenges

for vendor oversightfor vendor oversight

FFIEC GuidanceFFIEC Guidance

““Risk Management of Outsourced Risk Management of Outsourced Technology Services”Technology Services” -- FFIEC Guidance, -- FFIEC Guidance, November 2000November 2000

Key elements of the risk management Key elements of the risk management process:process:– Risk assessmentRisk assessment– Due diligence in selecting service providerDue diligence in selecting service provider– Contract RequirementsContract Requirements– Oversight of service providerOversight of service provider

Regardless of the decision to outsource, the bank remains ultimately responsible.

FDIC’s Outsourcing BrochuresFDIC’s Outsourcing Brochures

FDIC recognized that community banks may FDIC recognized that community banks may face challenges in achieving the goals of the face challenges in achieving the goals of the FFIEC guidanceFFIEC guidance

Internal and external experts were consulted Internal and external experts were consulted to identify areas where additional information to identify areas where additional information would be usefulwould be useful

Goal: Provide practical information that “maps Goal: Provide practical information that “maps back” to the FFIEC guidanceback” to the FFIEC guidance

Three topics:Three topics:– Selecting a Service ProviderSelecting a Service Provider– Service Level AgreementsService Level Agreements– Managing Multiple Service ProvidersManaging Multiple Service Providers

Why did we choose these topics?Why did we choose these topics? Involvement of key playersInvolvement of key players

– External experts (Gartner Group)External experts (Gartner Group)– Industry representativesIndustry representatives– FDIC experts in IT and contractingFDIC experts in IT and contracting– Technology companiesTechnology companies

FDIC’s Outsourcing FDIC’s Outsourcing BrochuresBrochures

White papers were drafted and shared with the White papers were drafted and shared with the industryindustry

The content was revised and re-circulatedThe content was revised and re-circulated Documents became available on June 4, 2001Documents became available on June 4, 2001

– Bulletin announcing the brochures was issued 6/4/01Bulletin announcing the brochures was issued 6/4/01– Documents are available online at www.fdic.govDocuments are available online at www.fdic.gov– Printed brochures are available upon requestPrinted brochures are available upon request

FDIC’s Outsourcing BrochuresFDIC’s Outsourcing Brochures

What they are…What they are…– Reference documents that a banker Reference documents that a banker

may use in relevant situationsmay use in relevant situations– Optional tools/resourcesOptional tools/resources

What they aren’t…What they aren’t…– Official guidanceOfficial guidance– Examination proceduresExamination procedures

FDIC’s Outsourcing FDIC’s Outsourcing BrochuresBrochures

Selecting a Service Selecting a Service ProviderProvider

Objectives of the selection processObjectives of the selection process Identifying potential vendorsIdentifying potential vendors Evaluation and selectionEvaluation and selection Negotiating the contractNegotiating the contract Appendix on using an RFPAppendix on using an RFP

Selecting a Service Provider - Selecting a Service Provider - TipsTips

Negotiate flexibility - e.g., shorter term Negotiate flexibility - e.g., shorter term contractscontracts

Be specific in defining responsibilitiesBe specific in defining responsibilities– Use institution-wide approach Use institution-wide approach – Address resource allocationAddress resource allocation

Include service level agreementsInclude service level agreements Remember exit/termination clausesRemember exit/termination clauses Include legal counsel in the processInclude legal counsel in the process Don’t rushDon’t rush

Service Level AgreementsService Level Agreements

Definition and overview of SLAsDefinition and overview of SLAs Four steps for developing SLAsFour steps for developing SLAs Tips for drafting SLAsTips for drafting SLAs Tips for managing SLAsTips for managing SLAs Appendix on SLA development - Appendix on SLA development -

detailsdetails Appendix with sample SLAAppendix with sample SLA“If you can’t measure it, you can’t manage it.” --Peter Drucker

Service Level Agreements - Service Level Agreements - TipsTips

Four step process to developing SLAs:Four step process to developing SLAs: Determining objectivesDetermining objectives

– How does the outsourced service fit into the bank’s How does the outsourced service fit into the bank’s strategic plan? (e.g., customer service)strategic plan? (e.g., customer service)

Defining requirementsDefining requirements– What are the operating/performance needs? (e.g., What are the operating/performance needs? (e.g.,

availability)availability)

Setting target measurementsSetting target measurements– What metrics can be used? (e.g., % “up time”)What metrics can be used? (e.g., % “up time”)

Establishing accountabilityEstablishing accountability

Managing Multiple Provider Managing Multiple Provider RelationshipsRelationships

Examples of multiple provider Examples of multiple provider relationships and related challengesrelationships and related challenges

Lead-contractor structureLead-contractor structure Inter-provider agreementsInter-provider agreements Tips for coordinating multiple providersTips for coordinating multiple providers Appendix with tips for agreement terms Appendix with tips for agreement terms

and conditionsand conditions

Managing Multiple Provider Managing Multiple Provider Relationships - TipsRelationships - Tips

Contracts should explicitly state:Contracts should explicitly state:– Roles and responsibilitiesRoles and responsibilities– When and how subcontractors will be usedWhen and how subcontractors will be used

Consider security and insurance Consider security and insurance implicationsimplications

When subs are involved, determine the When subs are involved, determine the bank’s legal relationship and “privity”bank’s legal relationship and “privity”

Ensure effective communication between Ensure effective communication between all relevant partiesall relevant parties

Relationship to Regulatory Relationship to Regulatory Guidance and BITS Guidance and BITS

FrameworkFramework

The outsourcing brochures are The outsourcing brochures are NOT official guidanceNOT official guidance

Can be used to compliment the Can be used to compliment the existing guidance and provide existing guidance and provide supplemental information and supplemental information and “good ideas”“good ideas”

Can be used as educational Can be used as educational material or practical examples material or practical examples

Regulatory Oversight of Regulatory Oversight of Service ProvidersService Providers

Authority comes from the Bank Service Company Authority comes from the Bank Service Company ActAct

Interagency exams are coordinated by the FFIEC Interagency exams are coordinated by the FFIEC Information Systems SubcommitteeInformation Systems Subcommittee– MultiRegional Data Processing Servicer ProgramMultiRegional Data Processing Servicer Program– Shared Application Software Review ProgramShared Application Software Review Program

Recently, Internet banking service providers have Recently, Internet banking service providers have been included in the MDPS programbeen included in the MDPS program

Onsite exams are staffed by examiners from all Onsite exams are staffed by examiners from all agencies and a joint report is producedagencies and a joint report is produced

Copies of the exam report can be obtained Copies of the exam report can be obtained by by client banks onlyclient banks only from the regional office from the regional office of their federal regulatorof their federal regulator

Exam reports are not a substitute for due Exam reports are not a substitute for due diligence and oversight by bank diligence and oversight by bank management (e.g., regular receipt of management (e.g., regular receipt of independent audits and security reviews)independent audits and security reviews)

The scope and frequency of the exams The scope and frequency of the exams should be considered when using the should be considered when using the reports as a resourcereports as a resource

Regulatory Oversight of Regulatory Oversight of Service ProvidersService Providers

GLBA Implications for GLBA Implications for OutsourcingOutsourcing

GLBA Section 501(b) Standards for GLBA Section 501(b) Standards for Protecting Customer DataProtecting Customer Data

Each bank shall:Each bank shall:– Exercise appropriate due diligence in Exercise appropriate due diligence in

selecting its service providersselecting its service providers– Require its service providers by Require its service providers by

contract to implement appropriate contract to implement appropriate measures designed to meet the measures designed to meet the objectives of these guidelinesobjectives of these guidelines

Each Bank shall (continued)…Each Bank shall (continued)…– Monitor (where indicated by the bank’s Monitor (where indicated by the bank’s

risk assessment) its service providers to risk assessment) its service providers to confirm that they have satisfied their confirm that they have satisfied their obligationsobligations

Review audits, summaries of test results Review audits, summaries of test results The extent of monitoring should be based The extent of monitoring should be based

on risk assessmenton risk assessment


The guidelines define a service The guidelines define a service provider broadly:provider broadly:““Service provider means any person or Service provider means any person or entity that maintains, processes, or entity that maintains, processes, or otherwise is permitted access to customer otherwise is permitted access to customer information through its provision of information through its provision of services directly to the bank.”services directly to the bank.”


Questions & DiscussionQuestions & Discussion

Cynthia A. Bonnette, Assistant DirectorCynthia A. Bonnette, Assistant DirectorFDIC Bank Technology GroupFDIC Bank Technology Group550 17th Street, NW, Room H-1005550 17th Street, NW, Room H-1005Washington, DC 20429Washington, DC 20429202-736-0528202-736-0528

[email protected]@fdic.gov