Ceto Blog

Understanding the FFIEC Guidance on Risk Management of Outsourced Technology Services

Written by Robby Monteith | Oct 28, 2022

Outsourcing technology services is often a standard option that financial institutions take to reduce costs, improve efficiency, and increase profitability. However, it is vital to ensure that these services are managed in a safe and secure manner.

In order to help banks and credit unions with this process, the Federal Financial Institutions Examination Council (FFIEC) has released guidance on risk management of outsourced technology services. In this post, we will answer common questions concerning this guidance and provide insights on staying compliant while implementing outsourced technology within your organization.

FFIEC Guidance on Risk Management of Outsourced Technology Solutions FAQ

What is FFIEC Guidance on Risk Management of Outsourced Technology Services and Why Was It Created?

Outsourcing technology services can provide several benefits to financial institutions including:

  • Cost Savings
  • Increased Operational Efficiencies
  • Access to Specialized Skills and Capabilities
  • New Revenue Streams

However, outsourcing technology also poses risks, such as:

  • Loss of Control Over Critical Functions
  • Data Security Breaches
  • Service Disruptions
  • Etc.

The FFIEC guidance outlines a risk management framework that banks and credit unions can use to identify, assess, and manage the risks associated with outsourcing technology services.

What are the Key Components of FFIEC Guidance on Risk Management of Outsourced Technology Services, and How Can They Be Implemented in Your Financial Organization?

There are five key components to the FFIEC guidance on risk management of outsourced technology services:

  1. Risk identification and Assessment - Guidance on identifying any risks associated with outsourcing technology services and assessing their potential impact on the financial organization.
  2. Risk Mitigation - Insights on implementing controls and procedures to mitigate any identified risks.
  3. Service Provider Selection and Due Diligence - Selecting a service provider that has the appropriate procedures, systems, and controls in place to mitigate the identified risks.
  4. Service Level Agreement (SLA) Negotiation - Negotiating an SLA that identifies the responsibilities of both the service provider and the financial institution with respect to any risks.
  5. Monitoring and Reporting - Ongoing monitoring/reporting on the service provider's performance and any issues that may present themselves.

Are There Any Considerations Financial Institutions Should Keep in Mind When Outsourcing Their Technology Needs to a Third-Party Provider?

When outsourcing your technology needs to a third party, it's important to keep the following considerations in mind:

  • Make sure that the provider has a good reputation and can meet your specific needs.
  • Be clear about what you expect from the provider regarding service levels, response times, and so on.
  • Get specific on what services/support levels are not covered by your potential provider.
  • Have a strong contract in place which outlines the roles and responsibilities of both parties.
  • Be prepared to manage the relationship with the provider, and make sure that communication is clear and open.

What Are Some Best Practices for Conducting Due Diligence on Potential Third-Party Providers of Outsourced Technology Services?

At Ceto, we're well-vested in assisting our financial clients with vendor selection efforts. Here are just a few of the best practices we've identified to help our clients identify the best possible outsourced technology service for their organization.

  1. Ensure you understand the service provider's business model and how they earn revenue.
  2. Understand the provider's financial stability and ability to scale.
  3. Review the provider's customer references and case studies.
  4. Evaluate the provider's technical capabilities and capacity.
  5. Conduct a site visit to the provider's facilities (if possible).
  6. Review the provider's security and privacy policies and procedures.
  7. Make sure you have a clear understanding of the contractual terms, SLAs, and any conditions/exclusions.

Change management is critical when working with any third-party vendor, but it is crucial when dealing with technology service providers. Financial institutions need a formal process for approving changes made by vendors as well as tracking changes once they are implemented. This helps ensure that changes do not introduce new risks into the environment, allows for proper monitoring of vendor performance, and aids in keeping the institution compliant with any FFIEC mandates.

If you're in need of assistance identifying or negotiating with an outsourced technology service, we can help. We focus solely on helping banks and credit unions drive profitability, including identifying new revenue opportunities, improving organization-wide productivity and efficiencies, and minimizing vendor contract costs and risks while optimizing vendor performance.

Learn more about our Vendor Link service offering and the impact it can have on your financial institution's bottom line here.