美国FFIEC技术服务外包IT检查手册英文版.docx
《美国FFIEC技术服务外包IT检查手册英文版.docx》由会员分享,可在线阅读,更多相关《美国FFIEC技术服务外包IT检查手册英文版.docx(49页珍藏版)》请在冰豆网上搜索。
美国FFIEC技术服务外包IT检查手册英文版
ITBooklets:
OutsourcingTechnologyServices
(美国FFIEC技术服务外包IT检查手册)
Introduction
Thefinancialservicesindustryhaschangedrapidlyanddramatically.Advancesintechnologyenableinstitutionstoprovidecustomerswithanarrayofproducts,services,anddeliverychannels.Oneresultofthesechangesisthatfinancialinstitutionsincreasinglyrelyonexternalserviceprovidersforavarietyoftechnology-relatedservices.Generally,theterm"outsourcing"isusedtodescribethesetypesofarrangements.
TheFederalFinancialInstitutionsExaminationCouncil(FFIEC)InformationTechnologyExaminationHandbook(ITHandbook)"OutsourcingTechnologyServicesBooklet"(booklet)providesguidanceandexaminationprocedurestoassistexaminersandbankersinevaluatingafinancialinstitution'sriskmanagementprocessestoestablish,manage,andmonitorIToutsourcingrelationships.
Theabilitytocontractfortechnologyservicestypicallyenablesaninstitutiontoofferitscustomersenhancedserviceswithoutthevariousexpensesinvolvedinowningtherequiredtechnologyormaintainingthehumancapitalrequiredtodeployandoperateit.Inmanysituations,outsourcingofferstheinstitutionacosteffectivealternativetoin-housecapabilities.Outsourcing,however,doesnotreducethefundamentalrisksassociatedwithinformationtechnologyorthebusinesslinesthatuseit.Riskssuchaslossoffunds,lossofcompetitiveadvantage,damagedreputation,improperdisclosureofinformation,andregulatoryactionremain.Becausethefunctionsareperformedbyanorganizationoutsidethefinancialinstitution,therisksmayberealizedinadifferentmannerthanifthefunctionswereinsidethefinancialinstitutionresultingintheneedforcontrolsdesignedtomonitorsuchrisks.
Financialinstitutionscanoutsourcemanyareasofoperations,includingallorpartofanyservice,process,orsystemoperation.Examplesofinformationtechnology(IT)operationsfrequentlyoutsourcedbyinstitutionsandaddressedinthisbookletinclude:
theorigination,processing,andsettlementofpaymentsandfinancialtransactions;informationprocessingrelatedtocustomeraccountcreationandmaintenance;aswellasotherinformationandtransactionprocessingactivitiesthatsupportcriticalbankingfunctions,suchasloanprocessing,depositprocessing,fiduciaryandtradingactivities;securitymonitoringandtesting;systemdevelopmentandmaintenance;networkoperations;helpdeskoperations;andcallcenters.Thebookletaddressesaninstitution'sresponsibilitytomanagetherisksassociatedwiththeseoutsourcedITservices.
Managementmaychoosetooutsourceoperationsforvariousreasons.Theseinclude:
∙Gainoperationalorfinancialefficiencies;
∙Increasemanagementfocusoncorebusinessfunctions;
∙Refocuslimitedinternalresourcesoncorefunctions;
∙Obtainspecializedexpertise;
∙Increaseavailabilityofservices;
∙Acceleratedeliveryofproductsorservicesthroughnewdeliverychannels;
∙Increaseabilitytoacquireandsupportcurrenttechnologyandavoidobsolescence;and
∙Conservecapitalforotherbusinessventures.
Outsourcingoftechnology-relatedservicesmayimprovequality,reducecosts,strengthencontrols,andachieveanyoftheobjectiveslistedpreviously.Ultimately,thedecisiontooutsourceshouldfitintotheinstitution'soverallstrategicplanandcorporateobjectives.
Beforeconsideringtheoutsourcingofsignificantfunctions,aninstitution'sdirectorsandseniormanagementshouldensuresuchactionsareconsistentwiththeirstrategicplansandshouldevaluateproposalsagainstwell-developedacceptancecriteria.Thedegreeofoversightandreviewofoutsourcedactivitieswilldependonthecriticalityoftheservice,process,orsystemtotheinstitution'soperation.
Financialinstitutionsshouldhaveacomprehensiveoutsourcingriskmanagementprocesstogoverntheirtechnologyserviceprovider(TSP)relationships.Theprocessshouldincluderiskassessment,selectionofserviceproviders,contractreview,andmonitoringofserviceproviders.Outsourcedrelationshipsshouldbesubjecttothesameriskmanagement,security,privacy,andotherpoliciesthatwouldbeexpectedifthefinancialinstitutionwereconductingtheactivitiesin-house.Thisbookletprimarilyfocusesonhowthebankregulatoryagenciesreviewtheriskmanagementprocessemployedbyafinancialinstitutionwhenconsideringorexecutinganoutsourcingrelationship.
Tohelpensurefinancialinstitutionsoperateinasafeandsoundmanner,theservicesperformedbyTSPsaresubjecttoregulationandexamination.[1]Thefederalfinancialregulatorshavethestatutoryauthoritytosupervisealloftheactivitiesandrecordsofthefinancialinstitutionwhetherperformedormaintainedbytheinstitutionorbyathirdpartyonoroffofthepremisesofthefinancialinstitution.Accordingly,theexaminationandsupervisionofafinancialinstitutionshouldnotbehinderedbyatransferoftheinstitution'srecordstoanotherorganizationorbyhavinganotherorganizationcarryoutallorpartofthefinancialinstitution'sfunctions.[2]
Manyofthegeneralprinciplesoneffectivemanagementofoutsourcingrelationshipsdiscussedinthisbookletcanandshouldbeappliedtomanagingtheoutsourcingofsoftwaredevelopment.OutsourcingofactivitiesrelatedtosoftwaredevelopmentisaddressedintheITHandbook's,"DevelopmentandAcquisitionBooklet."
ThisbookletrescindsandreplacesChapter22ofthe1996FFIECInformationSystemsExaminationHandbook,ISServicing-ProviderandReceiver.
BoardandManagementResponsibilities
ActionSummary
Thefinancialinstitution'sboardandseniormanagementshouldestablishandapproverisk-basedpoliciestogoverntheoutsourcingprocess.Thepoliciesshouldrecognizetherisktotheinstitutionfromoutsourcingrelationshipsandshouldbeappropriatetothesizeandcomplexityoftheinstitution.
Theresponsibilityforproperlyoverseeingoutsourcedrelationshipslieswiththeinstitution'sboardofdirectorsandseniormanagement.Althoughthetechnologyneededtosupportbusinessobjectivesisoftenacriticalfactorindecidingtooutsource,managingsuchrelationshipsismorethanjustatechnologyissue;itisanenterprise-widecorporatemanagementissue.Aneffectiveoutsourcingoversightprogramshouldprovidetheframeworkformanagementtoidentify,measure,monitor,andcontroltherisksassociatedwithoutsourcing.Theboardandseniormanagementshoulddevelopandimplemententerprise-widepoliciestogoverntheoutsourcingprocessconsistently.Thesepoliciesshouldaddressoutsourcedrelationshipsfromanend-to-endperspective,includingestablishingservicingrequirementsandstrategies;selectingaprovider;negotiatingthecontract;andmonitoring,changing,anddiscontinuingtheoutsourcedrelationship.
Factorsinstitutionsshouldconsiderinclude:
∙Ensuringeachoutsourcingrelationshipsupportstheinstitution'soverallrequirementsandstrategicplans;
∙Ensuringtheinstitutionhassufficientexpertisetooverseeandmanagetherelationship;
∙Evaluatingprospectiveprovidersbasedonthescopeandcriticalityofoutsourcedservices;
∙Tailoringtheenterprise-wide,serviceprovidermonitoringprogrambasedoninitialandongoingriskassessmentsofoutsourcedservices;and
∙Notifyingitsprimaryregulatorregardingoutsourcedrelationships,whenrequiredbythatregulator.[1]
Thetimeandresourcesdevotedtomanagingoutsourcingrelationshipsshouldbebasedontherisktherelationshippresentstotheinstitution.Toillustrate,outsourcingprocessingofasmallcreditcardportfoliowillrequireadifferentlevelofoversightthanoutsourcingprocessingofallloanapplications.Additionally,smallerandlesscomplexinstitutionsmayhavelessflexibilitythanlargerinstitutionsinnegotiatingforservicesthatmeettheirspecificneedsandinmonitoringtheirserviceproviders.
RiskManagement
Riskmanagementistheprocessofidentifying,measuring,monitoring,andmanagingrisk.Riskexistswhethertheinstitutionmaintainsinformationandtechnologyservicesinternallyorelectstooutsourcethem.Regardlessofwhichalternativetheychoose,managementisresponsibleformanagingriskinalloutsourcingrelationships.Accordingly,institutionsshouldestablishandmaintainaneffectiveriskmanagementprocessforinitiatingandoverseeingalloutsourcedoperations.
Aneffectiveriskmanagementprocessinvolvesseveralkeyfactors:
∙Establishingseniormanagementandboardawarenessoftherisksassociatedwithoutsourcingagreementsinordertoensureeffectiveriskmanagementpractices;
∙Ensuringthatanoutsourcingarrangementisprudentfromariskperspectiveandconsistentwiththebusinessobjectivesoftheinstitution;
∙Systematicallyassessingneedswhileestablishingrisk-basedrequirements;
∙Implementingeffectivecontrolstoaddressidentifiedrisks;
∙Performingongoingmonitoringtoidentifyandevaluatechangesinriskfromtheinitialassessment;and
∙Documentingprocedures,roles/responsibilities,andreportingmechanisms.
Typically,thisprocessincorporatesthefollowingactivities:
∙Riskassessmentandrequirementsdefinition;
∙Duediligenceinselectingaserviceprovider;
∙Contractnegotiationandimplementation;and
∙Ongoingmonitoring.
Theprecedingcommentsfocusonriskelementsspecificallyassociatedwithoutsourcing.ForabroaderperspectiveonITtransactionalandoperationalrisk,refertotheITHandbook's"SupervisionofTechnologyServiceProviders(TSP)Booklet,"whichaddressesoutsourcingriskfromtheserviceproviderperspective.
Subsections
RiskAssessmentandRequirements
ActionSummary
Managementshould: