Knowing What to Outsource in the Bank Supplier Industry

Knowing What to Outsource in the Bank Supplier Industry

Outsourcing is the use of a third-party vendor to perform activities on a continuing basis that would normally be undertaken by the bank. The third party could be an affiliated entity within the bank’s corporate group or an entity external to the bank’s corporate group. Many minority and de novo bank officials have said that the selection and management of vendors has been more complicated and more costly than they expected. It is important to understand how to select vendors and how to mitigate associated risks.

How Banks Can Mitigate the Risks
The board of directors must maintain effective oversight and ensure that effective controls are in place. Management must maintain effective oversight but must also effectively manage any outsourcing relationships. At the start, management must be prepared to select a qualified vendor, manage and monitor the outsourcing agreement, ensure that controls are in place and validated independently, and ensure that a contingency plan is in place.

Steps a Bank Can Take to Properly Manage an Outsourcing Relationship
Managing an outsourcing relationship involves several key steps, including risk assessments, service provider selection, contract documentation, and ongoing monitoring. In the risk assessment, management will evaluate the capability of the service provider to provide the necessary level of service. The service provider selection process must allow time for bank management to evaluate proposals and present necessary information to executive management or the board of directors for review. The contract should clearly define the rights and responsibilities of both parties and contain adequate and measurable service level requirements. As part of ongoing monitoring, the bank should periodically evaluate the vendor’s compliance with service level expectations and conduct an annual performance evaluation. In addition, the bank should consider whether the financial condition of the vendor has changed and confirm that the disaster recovery plan is still adequate and updated to accommodate operational changes that may have occurred.

The bank should follow seven principles for outsourcing:

  1. Implement a comprehensive policy to guide the assessment of whether and how activities can be outsourced appropriately
  2. Establish a comprehensive outsourcing risk management program to address outsourced activities and relationships with service providers
  3. Ensure that outsourcing arrangements do not diminish the bank’s ability to fulfill obligations to customers or regulators
  4. Conduct appropriate due diligence in selecting third-party providers
  5. Ensure that outsourcing relationships are governed by written contracts
  6. Develop and maintain contingency plans, which should also provide for periodic testing of back-up facilities
  7. Take appropriate steps to require that service providers protect confidential information.

Outsourcing offers a number of appealing benefits to banks that need very specialized IT experience. However, decision makers should not enter the process lightly. IT outsourcing is not a quick fix. The success of an IT outsourcing relationship hinges on effective supplier management underpinned by a comprehensive governance framework that includes ongoing contract and financial scrutiny, operational performance monitoring, and value creation from technology innovation and service/cost improvements.