OCC Bulletin 2004-32| July 15, 2004
FFIEC Information Technology Examination Handbook: FFIEC IT Booklets on Outsourcing Technology Services and Management
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers and Software Vendors, Department and Division Heads, and All Examining Personnel
The guidance attached to this bulletin continues to apply to federal savings associations.
The Federal Financial Institutions Examination Council (FFIEC) has issued two booklets that provide updated guidance on the outsourcing of technology services and the management of information technology. These booklets are the latest in a series that will update and replace the 1996 FFIEC Information Systems (IS) Examination Handbook.
Outsourcing Technology Services Booklet
Financial institutions increasingly rely on external service providers for a variety of technology-related services. Generally, the term "outsourcing" is used to describe these types of arrangements. The ability to contract for technology services often enables an institution to offer its customers enhanced services without the various expenses involved in owning the required technology or maintaining the human capital required to deploy and operate it. Outsourcing, however, does not transfer the risks of the product, service, or activity from the bank to the outsource provider. Significant operational risks such as loss of funds, loss of competitive advantage, damaged reputation, and improper disclosure of information remain and must be properly managed by the institution.
The "Outsourcing Technology Services Booklet" describes the risks associated with technology outsourcing and provides guidance regarding risk management policies, procedures, and practices that institutions should consider implementing when using external service providers. Key elements of a sound risk management environment for outsourcing include articulating board of directors and senior management responsibilities, conducting appropriate risk assessments and due diligence, negotiating appropriate contract provisions, and ensuring the ongoing monitoring of the outsourced relationship. Specific issues associated with foreign-based third-party service providers are addressed in Appendix C of the booklet.
This booklet rescinds OCC Advisory Letter AL 2000-12, "Risk Management of Outsourcing Technology Services."
Sound management of a financial institutions' information technology (IT) is fundamental to sound governance and involves more than containing costs and controlling operational risks. An institution capable of aligning its IT infrastructure to support its business strategy adds value to the organization and positions the organization for sustained success. The board of directors and senior management should understand and take responsibility for IT management as a critical component of the institution's overall corporate governance efforts.
The "Management Booklet" provides an overview of how IT management relates to operational and non-operational risks and identifies the structural issues associated with IT oversight. It describes a process that banks can use to manage technology related risks and also includes guidance for companies that provide technology services to financial institutions.
This booklet rescinds Chapter 9 "Management" and Chapter 11 "Management Information Systems (MIS) Review" of the 1996 FFIEC IS Examination Handbook.
The attached FFIEC press release describes the handbook update process and provides the following link [www.ffiec.gov/guides.htm] to electronic versions of all three booklets. To accommodate banks with limited access to the Internet, the OCC will also include these booklets in the next release of e-files, the CD-based library of OCC publications provided to all national banks. Any bank that is not able to download the booklets may order printed copies. Please send your request to the Office of the Comptroller of the Currency, 400 7th Street, SW, Washington, DC 20219.
Other questions regarding these booklets should be directed to your OCC supervisory office or the Bank Technology Division at (202) 649-6340.
Mark L. O'Dell
Deputy Comptroller, Operational Risk Department