The Federal Reserve Bank of New York is understood to be working on revised and more detailed guidelines for financial firms in their management of outsourced IT risk, for release later this year. It is understood that that the New York Fed believes that banks need to do additional work to ensure they have the right risk management structures in place, in particular in terms of ensuring that managers are accountable for managing contracts with outsource service providers and for ensuring that any problems are caught as early as possible.
It has also recently reported that the New York Fed is leading efforts by US regulatory agencies to set new minimum standards banks must meet in order to protect themselves for cyber attacks. Along with the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp, the New York Fed is said to be responding to the rising number of high-profile cyber attacks, including February’s attack on the Bangladesh central bank, in which thieves made off with $81m.
In the past, the New York Fed has relied on guidance and industry alerts in order to keep the financial institutions it supervises up to speed with changing risks. However, reacting to pressure they see from a mounting number of attacks, the Fed appears ready to seek a greater degree of accountability from banks in their management of cyber risks.
It seems the New York Fed is taking a similar view on IT risk management. Its officials have noted on numerous occasions the growing dependency of banks on their IT infrastructures, heightened by their inter-connectedness and linkages through market platforms such as CLS, the foreign exchange settlement system and Swift, the global inter-bank payments consortium.
In terms of IT and vendor risk management in particular, a key focus for the New York Fed is understood to be how banks, especially smaller banks, manage the contracts they strike with third party suppliers of IT services. Rather than a prescriptive approach — such as defining exactly what reporting lines firms should put in place — the Fed is believed to favour a “smarter” approach to outsourcing that places a greater emphasis on accountability in the management of outsource contracts, and more contingency planning for when things go wrong.
One reason for that approach is that smaller banks do not have the same management resources as larger banks when it comes to putting controls in place, and yet smaller banks may often be proportionately more dependent on outsource suppliers.
While it remains to be seen exactly what form the New York Fed’s revised expectations of banks’ IT risk management will take, they will be updating guidance delivered in the New York Fed’s 2013 supervisory letter SR 13-19, “Guidance on Managing Outsourcing Risk”, which can be read here.
The SR 13-19 letter stated that the use of service providers can expose financial firms to a number of risks:
- Compliance risk (the risk that services do not comply with US laws and regulations)
- Concentration risk (over-dependence on a limited number of suppliers)
- Reputational risks (the actions of a supplier impact on the reputation of the firm)
- Country risks (relating to the domicile of the supplier)
- Operational risks (an operational problem with a supplier may transfer to the customer firm)
- Legal risks (as potentially with compliance risks, the actions of a supplier may not comply with US laws)
The letter also outlined its requirements of its managers in terms of establishing new outsourcing agreements and reporting on them to their firms’ boards. In turn, the 2013 letter supplemented guidance contained in a booklet on outsourcing technology services produced in 2004 by the Federal Financial Institutions Examination Council, the agency helps set uniform reporting and examination standards for the Federal Reserve System. The booklet can be read here.
