美国FFIEC技术服务外包IT检查手册英文版.docx

美国FFIEC技术服务外包IT检查手册英文版.docx

《美国FFIEC技术服务外包IT检查手册英文版.docx》由会员分享，可在线阅读，更多相关《美国FFIEC技术服务外包IT检查手册英文版.docx（49页珍藏版）》请在冰豆网上搜索。

美国FFIEC技术服务外包IT检查手册英文版

 ITBooklets：

OutsourcingTechnologyServices

（美国FFIEC技术服务外包IT检查手册）

Introduction

Thefinancialservicesindustryhaschangedrapidlyanddramatically.Advancesintechnologyenableinstitutionstoprovidecustomerswithanarrayofproducts,services,anddeliverychannels.Oneresultofthesechangesisthatfinancialinstitutionsincreasinglyrelyonexternalserviceprovidersforavarietyoftechnology-relatedservices.Generally,theterm"outsourcing"isusedtodescribethesetypesofarrangements.

TheFederalFinancialInstitutionsExaminationCouncil（FFIEC）InformationTechnologyExaminationHandbook（ITHandbook）"OutsourcingTechnologyServicesBooklet"（booklet）providesguidanceandexaminationprocedurestoassistexaminersandbankersinevaluatingafinancialinstitution'sriskmanagementprocessestoestablish,manage,andmonitorIToutsourcingrelationships.

Theabilitytocontractfortechnologyservicestypicallyenablesaninstitutiontoofferitscustomersenhancedserviceswithoutthevariousexpensesinvolvedinowningtherequiredtechnologyormaintainingthehumancapitalrequiredtodeployandoperateit.Inmanysituations,outsourcingofferstheinstitutionacosteffectivealternativetoin-housecapabilities.Outsourcing,however,doesnotreducethefundamentalrisksassociatedwithinformationtechnologyorthebusinesslinesthatuseit.Riskssuchaslossoffunds,lossofcompetitiveadvantage,damagedreputation,improperdisclosureofinformation,andregulatoryactionremain.Becausethefunctionsareperformedbyanorganizationoutsidethefinancialinstitution,therisksmayberealizedinadifferentmannerthanifthefunctionswereinsidethefinancialinstitutionresultingintheneedforcontrolsdesignedtomonitorsuchrisks.

Financialinstitutionscanoutsourcemanyareasofoperations,includingallorpartofanyservice,process,orsystemoperation.Examplesofinformationtechnology（IT）operationsfrequentlyoutsourcedbyinstitutionsandaddressedinthisbookletinclude:

theorigination,processing,andsettlementofpaymentsandfinancialtransactions;informationprocessingrelatedtocustomeraccountcreationandmaintenance;aswellasotherinformationandtransactionprocessingactivitiesthatsupportcriticalbankingfunctions,suchasloanprocessing,depositprocessing,fiduciaryandtradingactivities;securitymonitoringandtesting;systemdevelopmentandmaintenance;networkoperations;helpdeskoperations;andcallcenters.Thebookletaddressesaninstitution'sresponsibilitytomanagetherisksassociatedwiththeseoutsourcedITservices.

Managementmaychoosetooutsourceoperationsforvariousreasons.Theseinclude:

∙Gainoperationalorfinancialefficiencies;

∙Increasemanagementfocusoncorebusinessfunctions;

∙Refocuslimitedinternalresourcesoncorefunctions;

∙Obtainspecializedexpertise;

∙Increaseavailabilityofservices;

∙Acceleratedeliveryofproductsorservicesthroughnewdeliverychannels;

∙Increaseabilitytoacquireandsupportcurrenttechnologyandavoidobsolescence;and

∙Conservecapitalforotherbusinessventures.

Outsourcingoftechnology-relatedservicesmayimprovequality,reducecosts,strengthencontrols,andachieveanyoftheobjectiveslistedpreviously.Ultimately,thedecisiontooutsourceshouldfitintotheinstitution'soverallstrategicplanandcorporateobjectives.

Beforeconsideringtheoutsourcingofsignificantfunctions,aninstitution'sdirectorsandseniormanagementshouldensuresuchactionsareconsistentwiththeirstrategicplansandshouldevaluateproposalsagainstwell-developedacceptancecriteria.Thedegreeofoversightandreviewofoutsourcedactivitieswilldependonthecriticalityoftheservice,process,orsystemtotheinstitution'soperation.

Financialinstitutionsshouldhaveacomprehensiveoutsourcingriskmanagementprocesstogoverntheirtechnologyserviceprovider（TSP）relationships.Theprocessshouldincluderiskassessment,selectionofserviceproviders,contractreview,andmonitoringofserviceproviders.Outsourcedrelationshipsshouldbesubjecttothesameriskmanagement,security,privacy,andotherpoliciesthatwouldbeexpectedifthefinancialinstitutionwereconductingtheactivitiesin-house.Thisbookletprimarilyfocusesonhowthebankregulatoryagenciesreviewtheriskmanagementprocessemployedbyafinancialinstitutionwhenconsideringorexecutinganoutsourcingrelationship.

Tohelpensurefinancialinstitutionsoperateinasafeandsoundmanner,theservicesperformedbyTSPsaresubjecttoregulationandexamination.[1]Thefederalfinancialregulatorshavethestatutoryauthoritytosupervisealloftheactivitiesandrecordsofthefinancialinstitutionwhetherperformedormaintainedbytheinstitutionorbyathirdpartyonoroffofthepremisesofthefinancialinstitution.Accordingly,theexaminationandsupervisionofafinancialinstitutionshouldnotbehinderedbyatransferoftheinstitution'srecordstoanotherorganizationorbyhavinganotherorganizationcarryoutallorpartofthefinancialinstitution'sfunctions.[2]

Manyofthegeneralprinciplesoneffectivemanagementofoutsourcingrelationshipsdiscussedinthisbookletcanandshouldbeappliedtomanagingtheoutsourcingofsoftwaredevelopment.OutsourcingofactivitiesrelatedtosoftwaredevelopmentisaddressedintheITHandbook's,"DevelopmentandAcquisitionBooklet."

ThisbookletrescindsandreplacesChapter22ofthe1996FFIECInformationSystemsExaminationHandbook,ISServicing-ProviderandReceiver.

BoardandManagementResponsibilities

ActionSummary

Thefinancialinstitution'sboardandseniormanagementshouldestablishandapproverisk-basedpoliciestogoverntheoutsourcingprocess.Thepoliciesshouldrecognizetherisktotheinstitutionfromoutsourcingrelationshipsandshouldbeappropriatetothesizeandcomplexityoftheinstitution.

Theresponsibilityforproperlyoverseeingoutsourcedrelationshipslieswiththeinstitution'sboardofdirectorsandseniormanagement.Althoughthetechnologyneededtosupportbusinessobjectivesisoftenacriticalfactorindecidingtooutsource,managingsuchrelationshipsismorethanjustatechnologyissue;itisanenterprise-widecorporatemanagementissue.Aneffectiveoutsourcingoversightprogramshouldprovidetheframeworkformanagementtoidentify,measure,monitor,andcontroltherisksassociatedwithoutsourcing.Theboardandseniormanagementshoulddevelopandimplemententerprise-widepoliciestogoverntheoutsourcingprocessconsistently.Thesepoliciesshouldaddressoutsourcedrelationshipsfromanend-to-endperspective,includingestablishingservicingrequirementsandstrategies;selectingaprovider;negotiatingthecontract;andmonitoring,changing,anddiscontinuingtheoutsourcedrelationship.

Factorsinstitutionsshouldconsiderinclude:

∙Ensuringeachoutsourcingrelationshipsupportstheinstitution'soverallrequirementsandstrategicplans;

∙Ensuringtheinstitutionhassufficientexpertisetooverseeandmanagetherelationship;

∙Evaluatingprospectiveprovidersbasedonthescopeandcriticalityofoutsourcedservices;

∙Tailoringtheenterprise-wide,serviceprovidermonitoringprogrambasedoninitialandongoingriskassessmentsofoutsourcedservices;and

∙Notifyingitsprimaryregulatorregardingoutsourcedrelationships,whenrequiredbythatregulator.[1]

Thetimeandresourcesdevotedtomanagingoutsourcingrelationshipsshouldbebasedontherisktherelationshippresentstotheinstitution.Toillustrate,outsourcingprocessingofasmallcreditcardportfoliowillrequireadifferentlevelofoversightthanoutsourcingprocessingofallloanapplications.Additionally,smallerandlesscomplexinstitutionsmayhavelessflexibilitythanlargerinstitutionsinnegotiatingforservicesthatmeettheirspecificneedsandinmonitoringtheirserviceproviders.

RiskManagement

Riskmanagementistheprocessofidentifying,measuring,monitoring,andmanagingrisk.Riskexistswhethertheinstitutionmaintainsinformationandtechnologyservicesinternallyorelectstooutsourcethem.Regardlessofwhichalternativetheychoose,managementisresponsibleformanagingriskinalloutsourcingrelationships.Accordingly,institutionsshouldestablishandmaintainaneffectiveriskmanagementprocessforinitiatingandoverseeingalloutsourcedoperations.

Aneffectiveriskmanagementprocessinvolvesseveralkeyfactors:

∙Establishingseniormanagementandboardawarenessoftherisksassociatedwithoutsourcingagreementsinordertoensureeffectiveriskmanagementpractices;

∙Ensuringthatanoutsourcingarrangementisprudentfromariskperspectiveandconsistentwiththebusinessobjectivesoftheinstitution;

∙Systematicallyassessingneedswhileestablishingrisk-basedrequirements;

∙Implementingeffectivecontrolstoaddressidentifiedrisks;

∙Performingongoingmonitoringtoidentifyandevaluatechangesinriskfromtheinitialassessment;and

∙Documentingprocedures,roles/responsibilities,andreportingmechanisms.

Typically,thisprocessincorporatesthefollowingactivities:

∙Riskassessmentandrequirementsdefinition;

∙Duediligenceinselectingaserviceprovider;

∙Contractnegotiationandimplementation;and

∙Ongoingmonitoring.

Theprecedingcommentsfocusonriskelementsspecificallyassociatedwithoutsourcing.ForabroaderperspectiveonITtransactionalandoperationalrisk,refertotheITHandbook's"SupervisionofTechnologyServiceProviders（TSP）Booklet,"whichaddressesoutsourcingriskfromtheserviceproviderperspective.

Subsections

RiskAssessmentandRequirements

ActionSummary

Managementshould: