Financial Regulators Release New Appendix to Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services
The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised Business Continuity Planning Booklet (BCP Booklet), which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services.
The BCP Booklet contains guidance to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. The booklet also was designed to provide guidance to financial institutions about the implementation of their business continuity planning processes.
The appendix highlights that a financial institution’s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. An effective third-party management program should provide the framework for financial institution management to identify, measure, monitor, and mitigate the risks associated with outsourcing. Specifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner. The appendix highlights and strengthens the BCP Booklet in four specific areas:
- Third-Party Management
- Third-Party Capacity
- Testing with Third-Party Technology Service Providers
- Cyber Resilience
The IT Handbook is a collaborative effort of the Information Technology Subcommittee of the FFIEC’s Task Force on Supervision. The Information Technology Subcommittee promotes uniform and effective information on technology-related policies and supervisory programs for financial institutions and their service providers. The IT Handbook is available online at http://ithandbook.ffiec.gov/
The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms, and to promote uniformity in the supervision of financial institutions. The Council has six voting members: a Governor of the Board of Governors of the Federal Reserve System, designated by the Chairman of the Board; the Chairman of the Federal Deposit Insurance Corporation; the Chairman of the Board of the National Credit Union Administration; the Comptroller of the Currency; the Director of the Consumer Financial Protection Bureau; and the Chairman of the State Liaison Committee. The Council's activities are supported by interagency task forces and by an advisory State Liaison Committee, comprised of five representatives of state agencies that supervise financial institutions.
- FFIEC Appendix J (PDF)
CFPBSam Gilford(202) 435-7673FDICGreg Hernandez(202) 898-6984FRBEric Kollig(202) 452-2955NCUABen Hardaway(703) 518-6333OCCStephanie Collins(202) 649-6870SLCCatherine Woody (202) 728-5733