SR 13-19 / CA 13-21:

Guidance on Managing Outsourcing Risk

BOARD OF GOVERNORS
OF THE FEDERAL RESERVE SYSTEM
WASHINGTON, D.C. 20551

DIVISION OF BANKING
SUPERVISION AND REGULATION

DIVISION OF CONSUMER
AND COMMUNITY AFFAIRS

SR 13-19 / CA 13-21
December 5, 2013
Revised February 26, 2021

Clarification on the Responsibilities of the Board of Directors February 26, 2021: As described in SR letter 21-4/ CA letter 21-2, "Inactive or Revised SR Letters Related to Federal Reserve Expectations for Boards of Directors," this SR letter was revised as of February 26, 2021 to better reflect the Federal Reserve's guidance for boards of directors in SR letter 21-3 / CA letter 21-1, "Supervisory Guidance on Board of Directors' Effectiveness," and SR letter 16-11, "Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $100 Billion." No other material changes were made to this letter.

TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK AND INSTITUTIONS SUPERVISED BY THE FEDERAL RESERVE

SUBJECT:

Guidance on Managing Outsourcing Risk

Applicability:  This guidance applies to all financial institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets.

The Federal Reserve is issuing the attached Guidance on Managing Outsourcing Risk to assist financial institutions1 in understanding and managing the risks associated with outsourcing a bank activity to a service provider to perform that activity.  This Federal Reserve guidance builds upon the FFIEC Outsourcing Technology Services Booklet (2004) that addresses outsourced information technology services and remains in effect.2

The attached guidance addresses the characteristics, governance, and operational effectiveness of a financial institution's service provider risk management program for outsourced activities beyond traditional core bank processing and information technology services.  Further, this guidance applies to all service provider relationships regardless of the type of activity that is outsourced.  In summary, the guidance describes

  • Risks from the Use of Service Providers: discusses potential risks arising from service provider relationships.
  • Role of Senior Management: outlines supervisory expectations for a financial institution's senior management in managing risks associated with service provider relationships.
  • Service Provider Risk Management Programs: describes the broad framework and processes to effectively manage risks associated with service provider relationships.

Reserve Banks are asked to distribute this guidance to supervised financial institutions, as well as to appropriate supervisory and examination staff.  Questions on the attached guidance should be addressed to:

  • Division of Banking Supervision and Regulation:  Adrienne Haden, Assistant Director, Operations and Information Technology Policy, at (202) 452-2058; or Neha Contractor, Supervisory Financial Analyst, Operations and Information Technology Policy, at (202) 973-7399.
  • Division of Consumer and Community Affairs:  Phyllis L. Harwell, Assistant Director, Consumer Compliance, at (202) 452-3658.

In addition, questions may be sent via the Board's public website.3

signed by
Maryann F. Hunter
Acting Director
Division of Banking
Supervision and Regulation

signed by
Sandra F. Braunstein
Director
Division of Consumer
and Community Affairs

Cross References:
  • SR letter 13-1/CA letter 13-1, "Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing"
  • SR letter 11-7, "Guidance on Model Risk Management"
  • SR letter 06-4, "Interagency Advisory on the Unsafe and Unsound Use of Limitations on Liability Provisions in External Audit Engagement Letters"
  • SR letter 03-5, "Amended Interagency Guidance on the Internal Audit Function and its Outsourcing"
Notes:
  1. For purposes of this guidance, "financial institutions" refers to state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations.  Return to text
  2. See FFIEC Outsourcing Technology Services (June 2004) at http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx.  Return to text
  3. See http://www.federalreserve.gov/apps/contactus/feedback.aspx.  Return to text

 

Back to Top
Last Update: February 26, 2021