Press Releases
Press Release
For Immediate Release November 28, 2000


The Federal Financial Institutions Examination Council issued guidance today on financial institutions' management of risk arising from technology services supplied by outside firms.

Today's guidance is intended to assist financial institutions in effectively managing the risks of outsourcing arrangements. Institutions outsource a wide range of technology services that include aggregation, digital certification, security monitoring, information and transaction processing and settlement activities to support banking functions. Outsourcing technology services can help institutions manage cost, improve services and customer support, and obtain additional expertise.

The FFIEC expects the boards of directors and senior management of financial institutions to oversee and manage outsourcing relationships. Financial institutions should institute an outsourcing process that includes:

  • a risk assessment to identify the institution's needs and requirements;
  • proper due diligence to identify and select a provider;
  • written contracts that clearly outline duties, obligations and responsibilities of the parties involved; and
  • ongoing oversight of outsourcing technology services.

The guidance encourages managers to consider additional risk-management controls when services involve the use of the Internet. The Internet, with its broad geographic reach, ease of access and anonymity, requires institutions' close attention to maintaining secure systems, detecting intrusions, developing reporting systems, and verifying and authenticating customers.

A copy of the guidance is attached (PDF).