Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.

RISK MANAGEMENT OF TECHNOLOGY OUTSOURCING

Information Technology / Cybersecurity
November 29, 2000

TO: CHIEF EXECUTIVE OFFICER
SUBJECT: FFIEC Guidance on Managing Risks Associated
With Outsourcing Technology Services

The FDIC, together with the other federal regulators of banks, thrifts and credit unions, issued the attached joint guidance on managing the risk exposure an institution faces when it uses outside firms for technology.

Through the Federal Financial Institutions Examination Council (FFIEC), the regulators issued this guidance on key management issues when outsourcing technology. These issues include risk assessment, service provider selection, contract terms and oversight of outsourcing arrangements.

The guidance is intended to assist financial institutions that are increasingly relying on outside firms for technology-related products and services to support an array of banking functions. Institutions of all sizes are using these products and services, as technology grows more complex and dynamic, creating a greater impetus to outsource.

In addition, the emergence of new startup service companies with limited experience, resources and knowledge of the regulated financial services environment heightens the importance of effective risk-management practices at the financial institution.

Institutions and their customers can achieve benefits through outsourcing of products and services. However, responsibility for managing the risks associated with those products or activities cannot be outsourced. Financial institutions should ensure that an appropriate risk-management process is in place to identify, measure, monitor and control the risks associated with technology-related outsourcing arrangements.

For more information, please contact Thomas J. Tuzinski (202-898-6748) or Robert D. Vilim (202-898-6511) in the FDIC's Division of Supervision.

Michael J. Zamorski
Acting Director

Attachment: Risk Management of Outsourced Technology Services HTML or PDF Format (52 Kb - PDF help or hard copy )

Distribution: FDIC-Supervised Banks (Commercial and Savings) and Service Providers

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (800-276-6003 or (703) 562-2200).


FIL-81-2000

Last Updated: November 29, 2000