The Federal Financial Institutions Examination Council, which issued the guidance, says it is intended to assist financial institutions in effectively managing the risks of outsourcing arrangements. The FFIEC notes that institutions outsource a wide range of technology services that include aggregation, digital certification, security monitoring, information and transaction processing and settlement activities to support banking functions.

"However, responsibility for managing the risks associated with those products or activities cannot be outsourced," the Council warns.

The FFIEC expects the boards of directors and senior management of financial institutions to directly oversee and manage outsourcing relationships. It says financial institutions should institute an outsourcing process that includes:
* a risk assessment to identify the institution's needs and requirements;
* proper due diligence to identify and select a provider;
* written contracts that clearly outline duties, obligations and responsibilities of the parties involved; and
* ongoing oversight of outsourcing technology services.

The guidance encourages managers to consider additional risk-management controls when services involve the use of the Internet.

"The Internet, with its broad geographic reach, ease of access and anonymity, requires institutions' close attention to maintaining secure systems, detecting intrusions, developing reporting systems, and verifying and authenticating customers," the guidance note states.

In addition, the regulators believe that the emergence of new startup service companies with limited experience, resources and knowledge of the regulated financial services environment should heighten the importance of effective risk-management practices.