AL 2000-12
OCC Advisory Letter
Subject: Risk Management of Outsourcing Technology
Services
Date: November 28, 2000


TO: Chief Executive Officers of National Banks, Federal
Branches and Data-Processing Centers, Department and
Division Heads, and Examining Personnel


The Federal Financial Institutions Examination Council
(FFIEC) has released the attached guidance, "Risk
Management of Outsourced Technology Services."  The
guidance outlines the processes banks should use to
manage the risks associated with outsourcing technology
services and discusses four key elements of such
processes--risk assessment, selection of service
providers, contract reviews, and monitoring the service
provider relationship.  This guidance supplements
previous interagency statements and Office of the
Comptroller of the Currency (OCC) guidance.  

The guidance states that a financial institution's board
of directors and management are responsible for ensuring
that adequate risk mitigation practices are in place for
effective oversight and management of outsourcing
relationships.  Financial institutions should
incorporate an outsourcing risk management process that
includes a risk assessment to identify the institution's
needs and requirements; proper due diligence to
identify and select a provider; written contracts that
clearly outline duties, obligations, and
responsibilities of the parties involved; and ongoing
oversight of outsourced technology services.

The guidance encourages management to consider
additional risk-management controls when services
involve the use of the Internet. The Internet, with its
broad geographic reach, ease of access and anonymity,
requires extra attention to maintaining secure systems,
detecting intrusions, developing reporting systems, and
verifying and authenticating customers. 

Institutions considering operating subsidiaries and
minority investments in conjunction with outsourcing
arrangements should refer to OCC regulations
12 CFR 5.34 and 5.36 regarding the permissibility of
the activities to be conducted.  In addition, management
should consider whether the appropriate duties,
responsibilities, and performance criteria are
understood during the due diligence and contract
negotiations.  The institutions' risk assessment phase
and contract provisions should take into consideration
investment criteria and exit strategies that may be
needed depending on the success and continued
permissibility of the activities. 

OCC encourages national banks to use technology in a
safe and sound manner to enhance service and product
offerings.  Regardless of whether technology solutions
are managed internally or outsourced, the board of
directors and management need to understand the inherent
risks to the institution and implement appropriate
controls.  

For further information on Internet banking and
technology risk management guidance, see the OCC's
Internet site at www.occ.treas.gov or contact Clifford
Wilke, director, Bank Technology, at (202) 874-5920. 


 
____________________                              
Emory W. Rushton
Senior Deputy Comptroller
Bank Supervision Policy

Attachment