The FRB issued guidance on managing outsourcing risks, intended to highlight the potential risks arising from the use of service providers, describe the components of an appropriate service provider risk management program, and supplement previous guidance on technology service provider risk. The guidance provides that prior to entering into and managing outsourcing arrangements, financial institutions should consider the following risks: (1) compliance risks, (2) concentration risks (i.e., when outsourced services or products are provided by a limited number of service providers or are concentrated in a limited geographic location); (3) reputational risks; (4) country risks (i.e., use of a foreign-based service provider); (5) operational risks; and (6) legal risks. The guidance also notes the use of a service provider does not relieve a financial institution’s board of directors and senior management from ensuring that the use of service providers are conducted in a safe-and-sound manner and in compliance with applicable law; rather, there is an affirmative responsibility “for ensuring that board-approved policies for the use of service providers are appropriately executed.”
The guidance also outlines the components of an appropriate service provider risk management program. In particular, the guidance identifies “core elements” of an effective program, which include, risk assessments, due diligence and selection of service providers, incentive compensation review, and oversight and monitoring of service providers, among other elements. For example, the guidance provides that a financial institution should conduct an evaluation of and perform due diligence on a prospective service provider. The extent of due diligence will vary depending on the scope, complexity, and importance of the planned outsourcing. Another key component of an appropriate service provider risk management program is understanding the service contract and any related legal issues. There should also be an effective process in place to review and approve any incentive compensation that may exist in service provider agreements. Finally, the guidance identifies other risk considerations including, the risk of using third party service providers to comply with the suspicious activity report requirements under the Bank Secrecy Act, risks unique to foreign-based service providers (e.g., foreign service provider’s ability to comply with U.S. law), and the service provider’s own risk management activities.