Risk Management of Outsourced Technology Services

The purpose of this letter is to make you aware of guidance recently released by the Federal Financial Institutions Examination Council (“FFIEC”)¹ to financial institutions regarding risk management of outsourced technology services. If your credit union currently uses, or is considering using, outsourcing relationships for technology services, you should review the enclosed FFIEC guidance paper carefully.

• Credit unions are increasingly reliant on third parties to support technology-related functions. Outsourcing arrangements can help manage costs, provide expertise, and expand and improve services offered to members. The guidance paper outlines risks and important considerations involved in managing the outsourcing of technology services. It emphasizes the following key points:
• The board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place.
• Once the institution has completed its risk assessment, management should evaluate service providers to determine their ability, both operationally and financially, to meet the institution’s needs.

Contracts should be clearly written and sufficiently detailed to provide assurances for performance, reliability, security, confidentiality, and reporting.

Institutions should implement an oversight program to monitor each service provider’s controls, condition, and performance.

If you have any questions or concerns, please contact your examiner, NCUA Regional Office or State Supervisory Authority.