Presentation is loading. Please wait.

Presentation is loading. Please wait.

Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.

Published byGabriel Sullivan Modified over 8 years ago

Similar presentations

Presentation on theme: "Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group."— Presentation transcript:

1 Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group

2 Presentation Overview n Outsourcing trends and developments n Highlights of the FFIEC’s outsourcing guidance n FDIC’s brochures on technology outsourcing n Regulatory oversight of service providers n Outsourcing-related provisions of GLBA

3 Outsourcing Trends n TowerGroup estimates banks outsource over 85% of their information technology n Significant technical expertise and skills are required in the current environment n The cost to license software or purchase services can be lower than the cost to develop and maintain a proprietary system n Time to market and technology dynamics require rapid development and enhancement

4 Outsourcing Trends n What’s new about outsourcing today? –Outsourced functions include mission critical and customer-facing applications –Vendors may be new companies--less familiar with the financial services industry –Niche providers and specialization often results in multiple vendor relationships –Industry dynamics create new challenges for vendor oversight

5 FFIEC Guidance n “Risk Management of Outsourced Technology Services” -- FFIEC Guidance, November 2000 n Key elements of the risk management process: –Risk assessment –Due diligence in selecting service provider –Contract Requirements –Oversight of service provider Regardless of the decision to outsource, the bank remains ultimately responsible.

6 FDIC’s Outsourcing Brochures n FDIC recognized that community banks may face challenges in achieving the goals of the FFIEC guidance n Internal and external experts were consulted to identify areas where additional information would be useful n Goal: Provide practical information that “maps back” to the FFIEC guidance

7 n Three topics: –Selecting a Service Provider –Service Level Agreements –Managing Multiple Service Providers n Why did we choose these topics? n Involvement of key players –External experts (Gartner Group) –Industry representatives –FDIC experts in IT and contracting –Technology companies FDIC’s Outsourcing Brochures

8 n White papers were drafted and shared with the industry n The content was revised and re-circulated n Documents became available on June 4, 2001 –Bulletin announcing the brochures was issued 6/4/01 –Documents are available online at www.fdic.gov –Printed brochures are available upon request FDIC’s Outsourcing Brochures

9 n What they are… –Reference documents that a banker may use in relevant situations –Optional tools/resources n What they aren’t… –Official guidance –Examination procedures FDIC’s Outsourcing Brochures

10 Selecting a Service Provider n Objectives of the selection process n Identifying potential vendors n Evaluation and selection n Negotiating the contract n Appendix on using an RFP

11 Selecting a Service Provider - Tips n Negotiate flexibility - e.g., shorter term contracts n Be specific in defining responsibilities –Use institution-wide approach –Address resource allocation n Include service level agreements n Remember exit/termination clauses n Include legal counsel in the process n Don’t rush

12 Service Level Agreements n Definition and overview of SLAs n Four steps for developing SLAs n Tips for drafting SLAs n Tips for managing SLAs n Appendix on SLA development - details n Appendix with sample SLA “If you can’t measure it, you can’t manage it.” --Peter Drucker

13 Service Level Agreements - Tips n Four step process to developing SLAs: n Determining objectives –How does the outsourced service fit into the bank’s strategic plan? (e.g., customer service) n Defining requirements –What are the operating/performance needs? (e.g., availability) n Setting target measurements –What metrics can be used? (e.g., % “up time”) n Establishing accountability

14 Managing Multiple Provider Relationships n Examples of multiple provider relationships and related challenges n Lead-contractor structure n Inter-provider agreements n Tips for coordinating multiple providers n Appendix with tips for agreement terms and conditions

15 Managing Multiple Provider Relationships - Tips n Contracts should explicitly state: –Roles and responsibilities –When and how subcontractors will be used n Consider security and insurance implications n When subs are involved, determine the bank’s legal relationship and “privity” n Ensure effective communication between all relevant parties

16 Relationship to Regulatory Guidance and BITS Framework n The outsourcing brochures are NOT official guidance n Can be used to compliment the existing guidance and provide supplemental information and “good ideas” n Can be used as educational material or practical examples

17 Regulatory Oversight of Service Providers n Authority comes from the Bank Service Company Act n Interagency exams are coordinated by the FFIEC Information Systems Subcommittee –MultiRegional Data Processing Servicer Program –Shared Application Software Review Program n Recently, Internet banking service providers have been included in the MDPS program n Onsite exams are staffed by examiners from all agencies and a joint report is produced

18 n Copies of the exam report can be obtained by client banks only from the regional office of their federal regulator n Exam reports are not a substitute for due diligence and oversight by bank management (e.g., regular receipt of independent audits and security reviews) n The scope and frequency of the exams should be considered when using the reports as a resource Regulatory Oversight of Service Providers

19 GLBA Implications for Outsourcing n GLBA Section 501(b) Standards for Protecting Customer Data n Each bank shall: –Exercise appropriate due diligence in selecting its service providers –Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines

20 n Each Bank shall (continued)… –Monitor (where indicated by the bank’s risk assessment) its service providers to confirm that they have satisfied their obligations n Review audits, summaries of test results n The extent of monitoring should be based on risk assessment GLBA Implications for Outsourcing

21 The guidelines define a service provider broadly: “Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the bank.” GLBA Implications for Outsourcing

22 Questions & Discussion Cynthia A. Bonnette, Assistant Director FDIC Bank Technology Group 550 17th Street, NW, Room H-1005 Washington, DC 20429 202-736-0528 cybonnette@fdic.gov

Download ppt "Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Organizational Governance

Organizational Governance
Reliability Center Data Request Task Force Report WECC Board Meeting April 2009.

Reliability Center Data Request Task Force Report WECC Board Meeting April 2009.
Transition from Q1- 8th to Q1- 9th edition

Transition from Q1- 8th to Q1- 9th edition
INTRODUCTION TO ISO 14001 Joan Kithika. OUTLINE DEFINITIONS WHY ENVIRONMENTAL MANAGEMENT? LEGAL OVERVIEW HOW TO MANAGE THE ENVIRONMENT-AN ENVIRONMENTAL.

INTRODUCTION TO ISO Joan Kithika. OUTLINE DEFINITIONS WHY ENVIRONMENTAL MANAGEMENT? LEGAL OVERVIEW HOW TO MANAGE THE ENVIRONMENT-AN ENVIRONMENTAL.
Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.

Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.
 BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American.

 BITS BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American.
UPDATE OF GUIDELINES FOR PUBLIC DEBT MANAGEMENT Sudarshan Gooptu Sector Manager PREM Economic Policy and Debt, World Bank MDB Meetings, Washington DC May.

UPDATE OF GUIDELINES FOR PUBLIC DEBT MANAGEMENT Sudarshan Gooptu Sector Manager PREM Economic Policy and Debt, World Bank MDB Meetings, Washington DC May.
September 5, 2013 Southern Region Break-Out NAAA Annual Convention.

September 5, 2013 Southern Region Break-Out NAAA Annual Convention.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
ISO General Awareness Training

ISO General Awareness Training
IS Audit Function Knowledge

IS Audit Function Knowledge
TEMPUS ME-TEMPUS-JPHES

TEMPUS ME-TEMPUS-JPHES
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
The CPA Profession Chapter 2.

The CPA Profession Chapter 2.
Opportunities for RAC Participation. Three Part discussion General presentation; Example of oil and gas decision making; and Panel Discussion of RAC involvement.

Opportunities for RAC Participation. Three Part discussion General presentation; Example of oil and gas decision making; and Panel Discussion of RAC involvement.
Vendor Management Frequent regulatory findings:

Vendor Management Frequent regulatory findings:
Supplier Ethics: Program Checklist

Supplier Ethics: Program Checklist
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.

Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.

Similar presentations

Ads by Google