This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services. Financial institutions should consider the guidance outlined in this statement and the attached appendix in managing arrangements with their technology service providers. While this guidance covers a broad range of issues that financial institutions should address, each financial institution should apply those elements based on the scope and importance of the outsourced services as well as the risk to the institution from the services.
Financial institutions increasingly rely on services provided by other entities to support an array of technology-related functions. While outsourcing to affiliated or nonaffiliated entities can help financial institutions manage costs, obtain necessary expertise, expand customer product offerings, and improve services, it also introduces risks that financial institutions should address. This guidance covers four elements of a risk management process: risk assessment, selection of service providers, contract review, and monitoring of service providers.