Outsourcing presents special challenges for financial institutions. As regulated entities, they are typically responsible for the conduct of the third-party service providers to whom they outsource functions that they would otherwise conduct internally. As noted by the Office of the Comptroller of the Currency (OCC), "a financial institution's use of third-parties to achieve its strategic goals does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. Many third-party relationships should be subject to the same risk management, security, privacy, and other consumer protection policies that would be expected if a national financial institution were conducting the activities directly.?1
Managing the risks of third-party relationships is fundamental. As the OCC points out, relying on third-parties to perform banking functions decreases management's direct control over the operations, and therefore requires management's intensified oversight efforts. Thus, the OCC requires that financial institutions rigorously analyze and manage the risks posed by material third-party relationships. Those risks include:
- Compliance risk -- This risk exists when products, services or systems associated with the third-party relationship are not in compliance with applicable laws, rules or regulations, or are not consistent with ethical standards or the financial institution's policies and procedures.
- Transaction risk -- This risk arises from problems with service or product delivery, such as a third-party's inability to deliver products and services, whether arising from fraud, error, inadequate capacity, or technology failure.
- Reputation risk -- This risk arises when third-party relationships do not meet the expectations of the financial institution's customers, and include poor service, disruption of service, inappropriate sales recommendations, violations of consumer law, and other actions that can result in litigation, loss of business to the financial institution, or both. Also, publicity about adverse events surrounding the third-parties may increase the financial institution's reputation risk.
Key to addressing these risks is selection of a competent and qualified third-party service provider and development of a contract that ensures that the expectations and obligations of each party are clearly defined, understood and enforceable. The OCC recommends that financial institutions consider the following issues when entering into a contract with a third party:
- Scope of the arrangement - the details of the products or services to be provided.
- Performance measures or benchmarks.
- Responsibilities for providing and receiving information.
- Right to audit the activities of the third party (and its subcontractors).
- Fees and costs.
- Ownership and license of data, hardware and software, system documentation, and other intellectual property such as the financial institution's name, logo, trademark, and copyrighted material.
- Confidentiality of the financial institution's information.
- Security requirements.
- Business resumption and contingency plans.
- Dispute resolution.
- Limits on liability.
- Default and termination.
- Handling of customer complaints.
- Special issues with foreign-based service providers, including jurisdiction and choice of law provisions.
Four of the issues itemized above are closely related, and worthy of particular note. They are as follows:
- Business resumption and contingency planning
- Audit rights
The financial institution must clearly define the level and types of security, auditing and control measures it requires, especially as necessary to comply with applicable regulatory requirements. The contract should also reference the need to periodically review and update controls to comply with current and future regulatory guidelines.
Ensuring appropriate security is critical for three reasons. First, it is necessary to prevent the losses and damage that the financial institution and its customers might suffer if a physical, technical or personnel threat against the service provider becomes a reality. This might include, for example, business interruptions, the theft, alteration, or destruction of data, denial of service attacks, physical damage to facilities, personal injury, cyber crime, terrorist attacks, and numerous other threats.
Second, security is now a regulatory compliance issue. Security and confidentiality are required by regulation to protect the integrity of financial processes and the privacy of customer data as well as to comply with the requirements of the USA Patriot Act. The Gramm-Leach-Bliley security regulations, for example, require financial institutions to adopt appropriate security policies to protect and maintain the confidentiality of customer data. These requirements extend to the outsourcing service provider as well.
Third, security is critical for business trust that is so important to financial institutions. Trusting one's business partners has always been important (e.g., Are they reputable and creditworthy? Will they perform as promised?). But in today's ebusiness environment, companies also need to trust the transaction itself. That is, when vital business transactions depend on computer and network availability, the parties need to know that these will work properly and without interruption. When remote communications replace personal contact or a trusted medium such as the mail, the parties need to verify every other party's identity. When easily copied and altered electronic records replace signed paper documents, the parties need assurance that these records are authentic and unaltered. And when sensitive data is stored electronically, the parties need assurances that the data is confidential, protected and accessible.
The board of directors and management of the financial institution must ensure that the outsourced operation is conducted with legally appropriate security, and, in the OCC's view, are ultimately responsible in the event such security is not adequate or in compliance with applicable regulations.
Security requires implementation of appropriate physical, technical and administrative measures to ensure the following with respect to computer systems, networks and the data contained on those systems:
- System availability.
- Restriction of access to authorized persons only.
- Identification and authentication of persons.
- Integrity of data and processes.
- Confidentiality of data.
In addition, a key component of security also requires addressing backup, disaster recovery and business resumption issues. It is critical that the contract provide for the means to ensure the continuation of the business function in the event of problems affecting the outsourcer's operations, including system breakdown and natural (or man-made) disaster. To that end, the contract should address the service provider's responsibility for backing up and otherwise protecting program and data files, for protecting equipment, and for maintaining disaster recovery and contingency plans. Without appropriate backups, disaster recovery and business resumption plans may be of little value.
Conversely, appropriate data backups and off site storage is no guarantee that operations can be quickly and efficiently resumed in the event of a major problem.
Responsibilities should include testing of the plans and providing results to the financial institution. Contracts should include specific timeframes for business resumption and recovery that meet the financial institution's business requirements. Further, the financial institution's own contingency plan should address potential financial problems or insolvency of the third party.
Finally, it is important that the security procedures and processes implemented by the service provider, as well as its performance generally, be carefully audited, reviewed, and monitored by the financial institution or an independent third party to ensure that it is satisfactory for the work being outsourced, that it is maintained throughout the course of the relationship, and that it is updated as technology and risks or threats change. Reliance on representations and undertakings in a contract is important, but there is no substitute for independent verification that the processes, procedures, operations, and security provided by the supplier meet applicable standards.
Lessons from the Outsourcing Journal:
Regulated industries, such as the financial services industry, must take special care when entering into outsourcing relationships with third parties. Specifically, they need to:
- Understand, analyze, and manage the risks posed by third party outsourcing relationships.
- Utilize appropriate due diligence to select competent and qualified third party providers.
- Structure appropriate contractual relationships that clearly specify the scope of the relationship and the obligations of the parties.
- Pay close attention to regulatory and business requirements for security, confidentiality, and business resumption issues.
- Closely monitor the activities and performance of the third party to ensure compliance with contractual commitments and regulatory obligations imposed upon the financial institution.
Two important resources address issues in financial services industry outsourcing. The first is OCC Bulletin 2001-47 on Third-Party Relationships, released on November 21, 2001 (available at www.occ.treas.gov/ftp/bulletin/2001-47.doc), and the second is the BITS Framework: Managing Technology Risk for Information Technology (IT) Service Provider Relationships, August 17, 2001.
Thomas J. Smedinghoff is a Partner at Baker & McKenzie (Chicago office) and is chair of the E-Commerce Division of the American Bar Association Section of Science & Technology Law. He can be reached at [email protected]. Creighton R. Meland, Jr. is a Partner at Baker & McKenzie (Chicago office) in the firm's Banking & Finance practice group. He can be reached at [email protected].
1 Office of the Comptroller of the Currency, Administrator of National Banks, OCC Bulletin 2001-47 on Third-Party Relationships, November 21, 2001 (available at www.occ.treas.gov/ftp/bulletin/2001-47.doc).