CUNA Regulatory Comment Call


July 13, 2001

BITS Framework on Outsourcing Technology

(NOT A MAJOR RULE)

EXECUTIVE SUMMARY

In May, CUNA joined BITS, the technology arm of the Financial Services Roundtable. BITS is the leader in developing policy recommendations and standards on emerging technology issues for the financial services industry in the e-commerce area. Regulatory advocacy staff, Assistant General Counsel Michelle Profit and Senior Regulatory Counsel Catherine Orr, represented CUNA at the BITS "Forum on IT Service Providers and Outsourcing" held in Chicago on June 13. This was CUNA’s first appearance at a BITS meeting as a BITS member. First Technology CU's Michael Scheuerman presented information on interoperability among multiple service providers.

The meeting focused on the draft version of Framework for Managing IT Service Provider Relationships (Framework). The Framework addresses the regulatory, business and technology risk aspects of financial services companies' relationship with service providers. The Framework is not meant to be an audit checklist but is be used as a guiding document and set of criteria against which IT service provider relationships can be effectively evaluated and managed. The document is intended to complement regulatory guidance and the financial services companies' internal risk management assessment.

The Framework is divided into the following 5 sections:

  • Section 1 provides an overview of the steps a financial institution should take in evaluating a decision to outsource IT services.
  • Section 2 provides guidance on which factors management should consider in making a decision to outsource IT services.
  • Section 3 enumerates factors to consider in developing the internal control, backup, and recovery requirements for a request for proposal (RFP) for IT services.
  • Section 4 addresses verification (due diligence) of how the service provider delivers the requirements specified in Section 3.
  • Section 5 covers contractual, service level, and insurance considerations.
  • Section 6 discusses procedures supporting specific controls, requirements, and responsibilities of the institution and provider.
  • Section 7 addresses transition planning issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services.
  • Section 8 provides guidance on ongoing relationship management issues, including changes in the outsourced environment.

Implementation of this industry-wide approach will more effectively provide a common understanding among IT service providers, address known control weaknesses in outsourced IT services, and result in more consistent and appropriate levels of management by financial services companies that outsource IT services. The final guidelines will be publicly released in the early fall.

Comments on the Framework are due by July 23, 2001. Please submit your comments to CUNA by July 20, 2001. Please feel free to fax your responses to CUNA at 202-371-8240; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.com or to Senior Regulatory Counsel Catherine Orr at corr@cuna.com; or mail them to Mary or Catherine c/o CUNA’s Regulatory Advocacy Department, 805 15th Street, NW, Suite 300, Washington, DC 20005. If you would like to submit you comments to BITS directly, the address is Faith Boettger, Senior Director, BITS, 805 – 15th Street, N.W., Suite 600, Washington, D.C. 20005; to submit comments electronically to BITS (Faith Boettger), please send your e-mail to Faith@fsround.org. If you submit comments directly to BITS, please also forward a copy of your comments to CUNA. You may contact CUNA if you would like a copy of the draft Framework or you may access it by clicking here (PDF document).

QUESTIONS ON THE FRAMEWORK

  1. Do you agree that the document should be renamed Technology Risk Management for Outsourced Relationships to better reflect the scope of the document?

    Yes ______ No ______

    If not, is there a name that would better reflect the document’s scope?





  2. Do you agree it is necessary to clarify that the business requirements defined in Section 2 are included in the RFP and due diligence process?

    Yes ______ No ______

    If so, how should that clarification language read?





  3. Do you agree that the Framework should address the integration of the RFP and due diligence processes with financial institutions’ business continuity planning?

    Yes ______ No ______

    If so, what specific points would you like to see included?





  4. Do you think the Framework should clarify the use of the due diligence process as the RFP is developed?

    Yes ______ No ______

    If so, what specific points should be included in the clarification?





  5. Are additional details required in defining the appropriate exit strategy and specifics around the role of technology service provider and receiver financial institution?

    Yes ______ No ______

    If so, what details do you recommend?





  6. Do you agree that the Framework should clarify which parties can demand the “right to audit” – the receiver financial institution, service provider, or both?

    Yes ______ No ______

    How would you clarify that right?





  7. How should the Framework address the issue of how service levels can be set effectively for new channels and complex service relationships (for example, bill payment standards)?





  8. Do you agree that Sections 5 and 7 should be expanded to include the concept of performance level plans to identify process and timeline required to get the system/service into production?

    Yes ______ No ______

    What points would you like to see discussed regarding performance level plans?





  9. Should Section 8 be expanded to include the concept of the financial service provider establishing a Steering Committee to regularly meet to review the outsourcing service and address open issues?

    Yes ______ No ______

    If so, what points about the Steering Committee should be emphasized?





  10. Are there concerns or processes with regard to credit union technology outsourcing which you believe still need to be addressed in the Framework?

    Yes ______ No ______







    If so, what are those concerns or processes?





  11. Other comments?





Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com
Copyright © 2012 Credit Union National Association