skip to main navigation skip to secondary navigation skip to content
Board of Governors of the Federal Reserve System
skip to content
Board of Governors of the Federal Reserve System

Supervision and Regulation Letters

SR 13-19 / CA 13-21

Guidance on Managing Outsourcing Risk

December 5, 2013

Seal of the Board of Governors of the Federal Reserve System
BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C.  20551
DIVISION OF BANKING
SUPERVISION AND REGULATION
DIVISION OF CONSUMER
AND COMMUNITY AFFAIRS
SR 13-19
CA 13-21
December 5, 2013
TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK AND INSTITUTIONS SUPERVISED BY THE FEDERAL RESERVE
SUBJECT:   Guidance on Managing Outsourcing Risk
Applicability:  This guidance applies to all financial institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets.

The Federal Reserve is issuing the attached Guidance on Managing Outsourcing Risk to assist financial institutions1 in understanding and managing the risks associated with outsourcing a bank activity to a service provider to perform that activity.  This Federal Reserve guidance builds upon the FFIEC Outsourcing Technology Services Booklet (2004) that addresses outsourced information technology services and remains in effect.2

The attached guidance addresses the characteristics, governance, and operational effectiveness of a financial institution's service provider risk management program for outsourced activities beyond traditional core bank processing and information technology services.  Further, this guidance applies to all service provider relationships regardless of the type of bank activity that is outsourced.  In summary, the guidance describes

  • Risks from the Use of Service Providers: discusses potential risks arising from service provider relationships.
  • Board of Directors and Senior Management Responsibilities: outlines supervisory expectations for a financial institution's board of directors and senior management in managing risks associated with service provider relationships.
  • Service Provider Risk Management Programs: describes the broad framework and processes to effectively manage risks associated with service provider relationships.

Reserve Banks are asked to distribute this guidance to supervised financial institutions, as well as to appropriate supervisory and examination staff.  Questions on the attached guidance should be addressed to:

  • Division of Banking Supervision and Regulation:  Adrienne Haden, Assistant Director, Operations and Information Technology Policy, at (202) 452-2058; or Neha Contractor, Supervisory Financial Analyst, Operations and Information Technology Policy, at (202) 973-7399.
  • Division of Consumer and Community Affairs:  Phyllis L. Harwell, Assistant Director, Consumer Compliance, at (202) 452-3658.

In addition, questions may be sent via the Board's public website.3

signed by
Maryann F. Hunter
Acting Director
Division of Banking
Supervision and Regulation
signed by
Sandra F. Braunstein
Director
Division of Consumer
and Community Affairs


Cross References:
  • SR letter 13-1/CA letter 13-1, "Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing"
  • SR letter 11-7, "Guidance on Model Risk Management"
  • SR letter 06-4, "Interagency Advisory on the Unsafe and Unsound Use of Limitations on Liability Provisions in External Audit Engagement Letters"
  • SR letter 03-5, "Amended Interagency Guidance on the Internal Audit Function and its Outsourcing"
 
Notes:
  1. For purposes of this guidance, "financial institutions" refers to state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations.  Return to text
  2. See FFIEC Outsourcing Technology Services (June 2004) at http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx.  Return to text
  3. See http://www.federalreserve.gov/apps/contactus/feedback.aspx.  Return to text

 

Last update: December 5, 2013