The purpose of this publication is to assist financial institutions in understanding and managing the risks associated with outsourcing a bank activity to a service provider to perform that activity. This guidance builds upon the FFIEC Outsourcing Technology Services Booklet that addresses outsourced information technology services and remains in effect.
The guidance addresses the characteristics, governance, and operational effectiveness of a financial institution's service provider risk management program for outsourced activities beyond traditional core bank processing and information technology services. Further, this guidance applies to all service provider relationships regardless of the type of bank activity that is outsourced.
In summary, the guidance describes
- Risks from the Use of Service Providers: discusses potential risks arising from service provider relationships.
- Board of Directors and Senior Management Responsibilities: outlines supervisory expectations for a financial institution's board of directors and senior management in managing risks associated with service provider relationships.
- Service Provider Risk Management Programs: describes the broad framework and processes to effectively manage risks associated with service provider relationships.