due diligence - the regulator’s perspective
DESCRIPTION
Due Diligence - The Regulator’s Perspective. ABA Telephone/Webcast Briefing August 14, 2001. Cynthia Bonnette, Assistant Director FDIC Bank Technology Group. Presentation Overview. Outsourcing trends and developments Highlights of the FFIEC’s outsourcing guidance - PowerPoint PPT PresentationTRANSCRIPT
Due Diligence - The Due Diligence - The Regulator’s PerspectiveRegulator’s Perspective
ABA Telephone/Webcast BriefingABA Telephone/Webcast Briefing
August 14, 2001August 14, 2001
Cynthia Bonnette, Assistant Cynthia Bonnette, Assistant DirectorDirector
FDIC Bank Technology GroupFDIC Bank Technology Group
Presentation OverviewPresentation Overview
Outsourcing trends and developmentsOutsourcing trends and developments Highlights of the FFIEC’s outsourcing Highlights of the FFIEC’s outsourcing
guidanceguidance FDIC’s brochures on technology FDIC’s brochures on technology
outsourcing outsourcing Regulatory oversight of service providersRegulatory oversight of service providers Outsourcing-related provisions of GLBAOutsourcing-related provisions of GLBA
Outsourcing TrendsOutsourcing Trends
TowerGroup estimates banks outsource TowerGroup estimates banks outsource over 85% of their information technology over 85% of their information technology
Significant technical expertise and skills are Significant technical expertise and skills are required in the current environmentrequired in the current environment
The cost to license software or purchase The cost to license software or purchase services can be lower than the cost to services can be lower than the cost to develop and maintain a proprietary systemdevelop and maintain a proprietary system
Time to market and technology dynamics Time to market and technology dynamics require rapid development and require rapid development and enhancementenhancement
Outsourcing TrendsOutsourcing Trends
What’s new about outsourcing today?What’s new about outsourcing today?– Outsourced functions include mission Outsourced functions include mission
critical and customer-facing applicationscritical and customer-facing applications– Vendors may be new companies--less Vendors may be new companies--less
familiar with the financial services industryfamiliar with the financial services industry– Niche providers and specialization often Niche providers and specialization often
results in multiple vendor relationshipsresults in multiple vendor relationships– Industry dynamics create new challenges Industry dynamics create new challenges
for vendor oversightfor vendor oversight
FFIEC GuidanceFFIEC Guidance
““Risk Management of Outsourced Risk Management of Outsourced Technology Services”Technology Services” -- FFIEC Guidance, -- FFIEC Guidance, November 2000November 2000
Key elements of the risk management Key elements of the risk management process:process:– Risk assessmentRisk assessment– Due diligence in selecting service providerDue diligence in selecting service provider– Contract RequirementsContract Requirements– Oversight of service providerOversight of service provider
Regardless of the decision to outsource, the bank remains ultimately responsible.
FDIC’s Outsourcing BrochuresFDIC’s Outsourcing Brochures
FDIC recognized that community banks may FDIC recognized that community banks may face challenges in achieving the goals of the face challenges in achieving the goals of the FFIEC guidanceFFIEC guidance
Internal and external experts were consulted Internal and external experts were consulted to identify areas where additional information to identify areas where additional information would be usefulwould be useful
Goal: Provide practical information that “maps Goal: Provide practical information that “maps back” to the FFIEC guidanceback” to the FFIEC guidance
Three topics:Three topics:– Selecting a Service ProviderSelecting a Service Provider– Service Level AgreementsService Level Agreements– Managing Multiple Service ProvidersManaging Multiple Service Providers
Why did we choose these topics?Why did we choose these topics? Involvement of key playersInvolvement of key players
– External experts (Gartner Group)External experts (Gartner Group)– Industry representativesIndustry representatives– FDIC experts in IT and contractingFDIC experts in IT and contracting– Technology companiesTechnology companies
FDIC’s Outsourcing FDIC’s Outsourcing BrochuresBrochures
White papers were drafted and shared with the White papers were drafted and shared with the industryindustry
The content was revised and re-circulatedThe content was revised and re-circulated Documents became available on June 4, 2001Documents became available on June 4, 2001
– Bulletin announcing the brochures was issued 6/4/01Bulletin announcing the brochures was issued 6/4/01– Documents are available online at www.fdic.govDocuments are available online at www.fdic.gov– Printed brochures are available upon requestPrinted brochures are available upon request
FDIC’s Outsourcing BrochuresFDIC’s Outsourcing Brochures
What they are…What they are…– Reference documents that a banker Reference documents that a banker
may use in relevant situationsmay use in relevant situations– Optional tools/resourcesOptional tools/resources
What they aren’t…What they aren’t…– Official guidanceOfficial guidance– Examination proceduresExamination procedures
FDIC’s Outsourcing FDIC’s Outsourcing BrochuresBrochures
Selecting a Service Selecting a Service ProviderProvider
Objectives of the selection processObjectives of the selection process Identifying potential vendorsIdentifying potential vendors Evaluation and selectionEvaluation and selection Negotiating the contractNegotiating the contract Appendix on using an RFPAppendix on using an RFP
Selecting a Service Provider - Selecting a Service Provider - TipsTips
Negotiate flexibility - e.g., shorter term Negotiate flexibility - e.g., shorter term contractscontracts
Be specific in defining responsibilitiesBe specific in defining responsibilities– Use institution-wide approach Use institution-wide approach – Address resource allocationAddress resource allocation
Include service level agreementsInclude service level agreements Remember exit/termination clausesRemember exit/termination clauses Include legal counsel in the processInclude legal counsel in the process Don’t rushDon’t rush
Service Level AgreementsService Level Agreements
Definition and overview of SLAsDefinition and overview of SLAs Four steps for developing SLAsFour steps for developing SLAs Tips for drafting SLAsTips for drafting SLAs Tips for managing SLAsTips for managing SLAs Appendix on SLA development - Appendix on SLA development -
detailsdetails Appendix with sample SLAAppendix with sample SLA“If you can’t measure it, you can’t manage it.” --Peter Drucker
Service Level Agreements - Service Level Agreements - TipsTips
Four step process to developing SLAs:Four step process to developing SLAs: Determining objectivesDetermining objectives
– How does the outsourced service fit into the bank’s How does the outsourced service fit into the bank’s strategic plan? (e.g., customer service)strategic plan? (e.g., customer service)
Defining requirementsDefining requirements– What are the operating/performance needs? (e.g., What are the operating/performance needs? (e.g.,
availability)availability)
Setting target measurementsSetting target measurements– What metrics can be used? (e.g., % “up time”)What metrics can be used? (e.g., % “up time”)
Establishing accountabilityEstablishing accountability
Managing Multiple Provider Managing Multiple Provider RelationshipsRelationships
Examples of multiple provider Examples of multiple provider relationships and related challengesrelationships and related challenges
Lead-contractor structureLead-contractor structure Inter-provider agreementsInter-provider agreements Tips for coordinating multiple providersTips for coordinating multiple providers Appendix with tips for agreement terms Appendix with tips for agreement terms
and conditionsand conditions
Managing Multiple Provider Managing Multiple Provider Relationships - TipsRelationships - Tips
Contracts should explicitly state:Contracts should explicitly state:– Roles and responsibilitiesRoles and responsibilities– When and how subcontractors will be usedWhen and how subcontractors will be used
Consider security and insurance Consider security and insurance implicationsimplications
When subs are involved, determine the When subs are involved, determine the bank’s legal relationship and “privity”bank’s legal relationship and “privity”
Ensure effective communication between Ensure effective communication between all relevant partiesall relevant parties
Relationship to Regulatory Relationship to Regulatory Guidance and BITS Guidance and BITS
FrameworkFramework
The outsourcing brochures are The outsourcing brochures are NOT official guidanceNOT official guidance
Can be used to compliment the Can be used to compliment the existing guidance and provide existing guidance and provide supplemental information and supplemental information and “good ideas”“good ideas”
Can be used as educational Can be used as educational material or practical examples material or practical examples
Regulatory Oversight of Regulatory Oversight of Service ProvidersService Providers
Authority comes from the Bank Service Company Authority comes from the Bank Service Company ActAct
Interagency exams are coordinated by the FFIEC Interagency exams are coordinated by the FFIEC Information Systems SubcommitteeInformation Systems Subcommittee– MultiRegional Data Processing Servicer ProgramMultiRegional Data Processing Servicer Program– Shared Application Software Review ProgramShared Application Software Review Program
Recently, Internet banking service providers have Recently, Internet banking service providers have been included in the MDPS programbeen included in the MDPS program
Onsite exams are staffed by examiners from all Onsite exams are staffed by examiners from all agencies and a joint report is producedagencies and a joint report is produced
Copies of the exam report can be obtained Copies of the exam report can be obtained by by client banks onlyclient banks only from the regional office from the regional office of their federal regulatorof their federal regulator
Exam reports are not a substitute for due Exam reports are not a substitute for due diligence and oversight by bank diligence and oversight by bank management (e.g., regular receipt of management (e.g., regular receipt of independent audits and security reviews)independent audits and security reviews)
The scope and frequency of the exams The scope and frequency of the exams should be considered when using the should be considered when using the reports as a resourcereports as a resource
Regulatory Oversight of Regulatory Oversight of Service ProvidersService Providers
GLBA Implications for GLBA Implications for OutsourcingOutsourcing
GLBA Section 501(b) Standards for GLBA Section 501(b) Standards for Protecting Customer DataProtecting Customer Data
Each bank shall:Each bank shall:– Exercise appropriate due diligence in Exercise appropriate due diligence in
selecting its service providersselecting its service providers– Require its service providers by Require its service providers by
contract to implement appropriate contract to implement appropriate measures designed to meet the measures designed to meet the objectives of these guidelinesobjectives of these guidelines
Each Bank shall (continued)…Each Bank shall (continued)…– Monitor (where indicated by the bank’s Monitor (where indicated by the bank’s
risk assessment) its service providers to risk assessment) its service providers to confirm that they have satisfied their confirm that they have satisfied their obligationsobligations
Review audits, summaries of test results Review audits, summaries of test results The extent of monitoring should be based The extent of monitoring should be based
on risk assessmenton risk assessment
GLBA Implications for GLBA Implications for OutsourcingOutsourcing
The guidelines define a service The guidelines define a service provider broadly:provider broadly:““Service provider means any person or Service provider means any person or entity that maintains, processes, or entity that maintains, processes, or otherwise is permitted access to customer otherwise is permitted access to customer information through its provision of information through its provision of services directly to the bank.”services directly to the bank.”
GLBA Implications for GLBA Implications for OutsourcingOutsourcing
Questions & DiscussionQuestions & Discussion
Cynthia A. Bonnette, Assistant DirectorCynthia A. Bonnette, Assistant DirectorFDIC Bank Technology GroupFDIC Bank Technology Group550 17th Street, NW, Room H-1005550 17th Street, NW, Room H-1005Washington, DC 20429Washington, DC 20429202-736-0528202-736-0528
[email protected]@fdic.gov