How To Understand The Risks Of A Financial Institutin

Transcription

1 Guidance n Managing Outsurcing Risk Divisin f Banking Supervisin and Regulatin Divisin f Cnsumer and Cmmunity Affairs Bard f Gvernrs f the Federal Reserve System December 5, 2013

2 Table f Cntents I. Purpse 1 II. Risks frm the Use f Service Prviders 1 III. Bard f Directrs and Senir Management Respnsibilities 2 IV. Service Prvider Risk Management Prgrams 2 A. Risk Assessments 3 B. Due Diligence and Selectin f Service Prviders 3 1. Business Backgrund, Reputatin, and Strategy 4 2. Financial Perfrmance and Cnditin 4 3. Operatins and Internal Cntrls 5 C. Cntract Prvisins and Cnsideratins 5 D. Incentive Cmpensatin Review 9 E. Oversight and Mnitring f Service Prviders 9 F. Business Cntinuity and Cntingency Cnsideratins 10 G. Additinal Risk Cnsideratins 11

3 I. Purpse In additin t traditinal cre bank prcessing and infrmatin technlgy services, financial institutins [Ftnte1 - utsurce peratinal activities such as accunting, appraisal management, internal audit, human resurces, sales and marketing, lan review, asset and wealth management, prcurement, and lan servicing. The Federal Reserve is issuing this guidance t financial institutins t highlight the ptential risks arising frm the use f service prviders and t describe the elements f an apprpriate service prvider risk management prgram. This guidance supplements existing guidance n technlgy service prvider (TSP) risk, [Ftnte2 - and applies t service prvider relatinships where business functins r activities are utsurced. Fr purpses f this guidance, "service prviders" is bradly defined t include all entities [Ftnte3 - that have entered int a cntractual relatinship with a financial institutin t prvide business functins r activities. II. Risks frm the Use f Service Prviders The use f service prviders t perfrm peratinal functins presents varius risks t financial institutins. Sme risks are inherent t the utsurced activity itself, whereas thers are intrduced with the invlvement f a service prvider. If nt managed effectively, the use f service prviders may expse financial institutins t risks that can result in regulatry actin, financial lss, litigatin, and lss f reputatin. Financial institutins shuld cnsider the fllwing risks befre entering int and while managing utsurcing arrangements. Cmpliance risks arise when the services, prducts, r activities f a service prvider fail t cmply with applicable U.S. laws and regulatins. Cncentratin risks arise when utsurced services r prducts are prvided by a limited number f service prviders r are cncentrated in limited gegraphic lcatins. Reputatinal risks arise when actins r pr perfrmance f a service prvider causes the public t frm a negative pinin abut a financial institutin. Fr purpses f this guidance, a "financial institutin" refers t state member banks, bank and savings and lan hlding cmpanies (including their nnbank subsidiaries), and U.S. peratins f freign banking rganizatins.endfftnte1.] Refer t the FFIEC Outsurcing Technlgy Services Bklet (June 2004) at http ://ithandbk.ffiec. gv/itbklets/utsurcing-technlgy-services.aspx.endfftnte2.] Entities may be a bank r nnbank, affiliated r nn-affiliated, regulated r nn-regulated, r dmestic r freign.endfftnte3.] Page 1 f 12

4 Cuntry risks arise when a financial institutin engages a freign-based service prvider, expsing the institutin t pssible ecnmic, scial, and plitical cnditins and events frm the cuntry where the prvider is lcated. Operatinal risks arise when a service prvider expses a financial institutin t lsses due t inadequate r failed internal prcesses r systems r frm external events and human errr. Legal risks arise when a service prvider expses a financial institutin t legal expenses and pssible lawsuits. III. Bard f Directrs and Senir Management Respnsibilities The use f service prviders des nt relieve a financial institutin's bard f directrs and senir management f their respnsibility t ensure that utsurced activities are cnducted in a safe-and-sund manner and in cmpliance with applicable laws and regulatins. Plicies gverning the use f service prviders shuld be established and apprved by the bard f directrs, r an executive cmmittee f the bard. These plicies shuld establish a service prvider risk management prgram that addresses risk assessments and due diligence, standards fr cntract prvisins and cnsideratins, nging mnitring f service prviders, and business cntinuity and cntingency planning. Senir management is respnsible fr ensuring that bard-apprved plicies fr the use f service prviders are apprpriately executed. This includes verseeing the develpment and implementatin f an apprpriate risk management and reprting framewrk that includes elements described in this guidance. Senir management is als respnsible fr regularly reprting t the bard f directrs n adherence t plicies gverning utsurcing arrangements. IV. Service Prvider Risk Management Prgrams A financial institutin's service prvider risk management prgram shuld be riskfcused and prvide versight and cntrls cmmensurate with the level f risk presented by the utsurcing arrangements in which the financial institutin is engaged. It shuld fcus n utsurced activities that have a substantial impact n a financial institutin's financial cnditin; are critical t the institutin's nging peratins; invlve sensitive custmer infrmatin r new bank prducts r services; r pse material cmpliance risk. The depth and frmality f the service prvider risk management prgram will depend n the criticality, cmplexity, and number f material business activities being utsurced. A Page 2 f 12

5 cmmunity banking rganizatin may have critical business activities being utsurced, but the number may be few and t highly reputable service prviders. Therefre, the risk management prgram may be simpler and use less elements and cnsideratins. Fr thse financial institutins that may use hundreds r thusands f service prviders fr numerus business activities that have material risk, the financial institutin may find that they need t use many mre elements and cnsideratins f a service prvider risk management prgram t manage the higher level f risk and reliance n service prviders. While the activities necessary t implement an effective service prvider risk management prgram can vary based n the scpe and nature f a financial institutin's utsurced activities, effective prgrams usually include the fllwing cre elements: A. Risk assessments; B. Due diligence and selectin f service prviders; C. Cntract prvisins and cnsideratins; D. Incentive cmpensatin review; E. Oversight and mnitring f service prviders; and F. Business cntinuity and cntingency plans. A. Risk Assessments Risk assessment f a business activity and the implicatins f perfrming the activity inhuse r having the activity perfrmed by a service prvider are fundamental t the decisin f whether r nt t utsurce. A financial institutin shuld determine whether utsurcing an activity is cnsistent with the strategic directin and verall business strategy f the rganizatin. After that determinatin is made, a financial institutin shuld analyze the benefits and risks f utsurcing the prpsed activity as well as the service prvider risk, and determine cst implicatins fr establishing the utsurcing arrangement. Cnsideratin shuld als be given t the availability f qualified and experienced service prviders t perfrm the service n an nging basis. Additinally, management shuld cnsider the financial institutin's ability and expertise t prvide apprpriate versight and management f the relatinship with the service prvider. This risk assessment shuld be updated at apprpriate intervals cnsistent with the financial institutin's service prvider risk management prgram. A financial institutin shuld revise its risk mitigatin plans, if apprpriate, based n the results f the updated risk assessment. B. Due Diligence and Selectin f Service Prviders A financial institutin shuld cnduct an evaluatin f and perfrm the necessary due diligence fr a prspective service prvider prir t engaging the service prvider. The depth and frmality f the due diligence perfrmed will vary depending n the scpe, cmplexity, and Page 3 f 12

6 imprtance f the planned utsurcing arrangement, the financial institutin's familiarity with prspective service prviders, and the reputatin and industry standing f the service prvider. Thrughut the due diligence prcess, financial institutin technical experts and key stakehlders shuld be engaged in the review and apprval prcess as needed. The verall due diligence prcess includes a review f the service prvider with regard t: 1. Business backgrund, reputatin, and strategy; 2. Financial perfrmance and cnditin; and 3. Operatins and internal cntrls. 1. Business Backgrund, Reputatin, and Strategy Financial institutins shuld review a prspective service prvider's status in the industry and crprate histry and qualificatins; review the backgrund and reputatin f the service prvider and its principals; and ensure that the service prvider has an apprpriate backgrund check prgram fr its emplyees. The service prvider's experience in prviding the prpsed service shuld be evaluated in rder t assess its qualificatins and cmpetencies t perfrm the service. The service prvider's business mdel, including its business strategy and missin, service philsphy, quality initiatives, and rganizatinal plicies shuld be evaluated. Financial institutins shuld als cnsider the resiliency and adaptability f the service prvider's business mdel as factrs in assessing the future viability f the prvider t perfrm services. Financial institutins shuld check the service prvider's references t ascertain its perfrmance recrd, and verify any required licenses and certificatins. Financial institutins shuld als verify whether there are any pending legal r regulatry cmpliance issues (fr example, litigatin, regulatry actins, r cmplaints) that are assciated with the prspective service prvider and its principals. 2. Financial Perfrmance and Cnditin Financial institutins shuld review the financial cnditin f the service prvider and its clsely-related affiliates. The financial review may include: The service prvider's mst recent financial statements and annual reprt with regard t utstanding cmmitments, capital strength, liquidity and perating results. The service prvider's sustainability, including factrs such as the length f time that the service prvider has been in business and the service prvider's grwth f market share fr a given service. The ptential impact f the financial institutin's business relatinship n the service prvider's financial cnditin. Page 4 f 12

7 The service prvider's cmmitment (bth in terms f financial and staff resurces) t prvide the cntracted services t the financial institutin fr the duratin f the cntract. The adequacy f the service prvider's insurance cverage. The adequacy f the service prvider's review f the financial cnditin f any subcntractrs. Other current issues the service prvider may be facing that culd affect future financial perfrmance. 3. Operatins and Internal Cntrls Financial institutins are respnsible fr ensuring that services prvided by service prviders cmply with applicable laws and regulatins and are cnsistent with safe-and-sund banking practices. Financial institutins shuld evaluate the adequacy f standards, plicies, and prcedures. Depending n the characteristics f the utsurced activity, sme r all f the fllwing may need t be reviewed: Internal cntrls; Facilities management (such as access requirements r sharing f facilities); Training, including cmpliance training fr staff; Security f systems (fr example, data and equipment); Privacy prtectin f the financial institutin's cnfidential infrmatin; Maintenance and retentin f recrds; Business resumptin and cntingency planning; Systems develpment and maintenance; Service supprt and delivery; Emplyee backgrund checks; and Adherence t applicable laws, regulatins, and supervisry guidance. C. Cntract Prvisins and Cnsideratins Financial institutins shuld understand the service cntract and legal issues assciated with prpsed utsurcing arrangements. The terms f service agreements shuld be defined in written cntracts that have been reviewed by the financial institutin's legal cunsel prir t executin. The characteristics f the business activity being utsurced and the service Page 5 f 12

8 prvider's strategy fr prviding thse services will determine the terms f the cntract. Elements f well-defined cntracts and service agreements usually include: Scpe: Cntracts shuld clearly define the rights and respnsibilities f each party, including: Supprt, maintenance, and custmer service; Cntract timeframes; Cmpliance with applicable laws, regulatins, and regulatry guidance; Training f financial institutin emplyees; The ability t subcntract services; The distributin f any required statements r disclsures t the financial institutin's custmers; Insurance cverage requirements; and Terms gverning the use f the financial institutin's prperty, equipment, and staff. Cst and cmpensatin: Cntracts shuld describe the cmpensatin, variable charges, and any fees t be paid fr nn-recurring items and special requests. Agreements shuld als address which party is respnsible fr the payment f any legal, audit, and examinatin fees related t the activity being perfrmed by the service prvider. Where applicable, agreements shuld address the party respnsible fr the expense, purchasing, and maintenance f any equipment, hardware, sftware r any ther item related t the activity being perfrmed by the service prvider. In additin, financial institutins shuld ensure that any incentives (fr example, in the frm f variable charges, such as fees and/r cmmissins) prvided in cntracts d nt prvide ptential incentives t take imprudent risks n behalf f the institutin. Right t audit: Agreements may prvide fr the right f the institutin r its representatives t audit the service prvider and/r t have access t audit reprts. Agreements shuld define the types f audit reprts the financial institutin will receive and the frequency f the audits and reprts. Establishment and mnitring f perfrmance standards: Agreements shuld define measurable perfrmance standards fr the services r prducts being prvided. Cnfidentiality and security f infrmatin: Cnsistent with applicable laws, regulatins, and supervisry guidance, service prviders shuld ensure the security and cnfidentiality f bth the financial institutin's cnfidential infrmatin and the financial institutin's custmer infrmatin. Infrmatin security measures fr utsurced functins shuld be viewed as if the activity were being perfrmed by the financial institutin and affrded the same prtectins. Financial institutins have a respnsibility t ensure service prviders take apprpriate measures designed t meet Page 6 f 12

9 the bjectives f the infrmatin security guidelines within Federal Financial Institutins Examinatin Cuncil (FFIEC) guidance [Ftnte4 -, as well as cmply with sectin 501(b) f the Gramm-Leach-Bliley Act. These measures shuld be m a p p e d directly t the security prcesses at financial institutins, as well as be included r referenced in agreements between financial institutins and service prviders. Service agreements shuld als address service prvider use f financial institutin infrmatin and its custmer infrmatin. Infrmatin m a d e available t the service prvider shuld be limited t what is needed t prvide the cntracted services. Service prviders m a y reveal cnfidential supervisry infrmatin nly t the extent authrized under applicable laws and regulatins. [Ftnte5 - If service prviders handle any f the financial institutin custmer's Persnal Infrmatin (NPPI), the service prviders must cmply with Nnpublic applicable privacy laws and regulatins. [Ftnte6 - Financial institutins shuld require ntificatin frm service prviders f any breaches invlving the disclsure f N P P I data. Generally, N P P I data is any nnpublic persnally identifiable financial infrmatin; and any list, descriptin, r ther gruping f cnsumers (and publicly available infrmatin pertaining t them) derived using any persnally identifiable financial infrmatin that is nt publicly available. [Ftnte7 - Financial institutins and their service prviders w h maintain, stre, r prcess N P P I data are respnsible fr that infrmatin and any disclsure f it. The security f, retentin f, and access t N P P I data shuld be addressed in any cntracts with service prviders. W h e n a breach r cmprmise f N P P I data ccurs, financial institutins have legal requirements that vary by state and these requirements shuld be m a d e part f the cntracts between the financial institutin and any service prvider that prvides strage, prcessing, r transmissin f N P P I data. Misuse r unauthrized disclsure f cnfidential custmer data by service prviders m a y expse financial institutins t liability r actin by a federal r state regulatry agency. Cntracts shuld clearly authrize and disclse the rles and respnsibilities f financial institutins and service prviders regarding N P P I data. Ownership and license: Agreements shuld define the ability and circumstances under which service prviders m a y use financial institutin prperty inclusive f data, hardware, sftware, and intellectual prperty. Agreements shuld address the wnership and cntrl f any infrmatin generated by service prviders. If financial institutins purchase sftware frm service prviders, escrw agreements m a y be Fr further guidance regarding vendr security practices, refer t the FFIEC Infrmatin Security Bklet (July 2006) at See See See 12 CFR Part 261.EndfFtnte5.] 12 CFR Part 1016.EndfFtnte6.] 12 U.S.C. 6801(b).EndfFtnte7.] P a g e 7 f 1 2

10 needed t ensure that financial institutins have the ability t access the surce cde and prgrams under certain cnditins. [Ftnte8 - Indemnificatin: Agreements shuld prvide fr service prvider indemnificatin f financial institutins fr any claims against financial institutins resulting frm the service prvider's negligence. Default and terminatin: Agreements shuld define events f a cntractual default, list f acceptable remedies, and prvide pprtunities fr curing default. Agreements shuld als define terminatin rights, including change in cntrl, merger r acquisitin, increase in fees, failure t meet perfrmance standards, failure t fulfill the cntractual bligatins, failure t prvide required ntices, and failure t prevent vilatins f law, bankruptcy, clsure, r inslvency. Cntracts shuld include terminatin and ntificatin requirements that prvide financial institutins with sufficient time t transfer services t anther service prvider. Agreements shuld als address a service prvider's preservatin and timely return f financial institutin data, recrds, and ther resurces. Dispute reslutin: Agreements shuld include a dispute reslutin prcess in rder t expedite prblem reslutin and address the cntinuatin f the arrangement between the parties during the dispute reslutin perid. Limits n liability: Service prviders may want t cntractually limit their liability. The bard f directrs and senir management f a financial institutin shuld determine whether the prpsed limitatins are reasnable when cmpared t the risks t the institutin if a service prvider fails t perfrm. [Ftnte9 - Insurance: Service prviders shuld have adequate insurance and prvide financial institutins with prf f insurance. Further, service prviders shuld ntify financial institutins when there is a material change in their insurance cverage. Custmer cmplaints: Agreements shuld specify the respnsibilities f financial institutins and service prviders related t respnding t custmer cmplaints. If service prviders are respnsible fr custmer cmplaint reslutin, agreements shuld prvide fr summary reprts t the financial institutins that track the status and reslutin f cmplaints. Business resumptin and cntingency plan f the service prvider: Agreements shuld address the cntinuatin f services prvided by service prviders in the event f peratinal failures. Agreements shuld address service prvider respnsibility fr Escrw agreements are established with vendrs when buying r leasing prducts that have underlying prprietary sftware. In such agreements, an rganizatin can nly access the surce prgram cde under specific cnditins, such as discntinued prduct supprt r financial inslvency f the vendr.endfftnte8.] Refer t SR letter 06-4, "Interagency Advisry n the Unsafe and Unsund Use f Limitatins n Liability Prvisins in External Audit Engagement Letters," regarding restrictins n the liability limitatins fr external audit engagements at Page 8 f 12

11 backing up infrmatin and maintaining disaster recvery and cntingency plans. Agreements may include a service prvider's respnsibility fr testing f plans and prviding testing results t financial institutins. Freign-based service prviders: Fr agreements with freign-based service prviders, financial institutins shuld cnsider including express chice f law and jurisdictinal prvisins that wuld prvide fr the adjudicatin f all disputes between the tw parties under the laws f a single, specific jurisdictin. Such agreements may be subject t the interpretatin f freign curts relying n lcal laws. Freign law may differ frm U.S. law in the enfrcement f cntracts. As a result, financial institutins shuld seek legal advice regarding the enfrceability f all aspects f prpsed cntracts with freign-based service prviders and the ther legal ramificatins f such arrangements. Subcntracting: If agreements allw fr subcntracting, the same cntractual prvisins shuld apply t the subcntractr. Cntract prvisins shuld clearly state that the primary service prvider has verall accuntability fr all services that the service prvider and its subcntractrs prvide. Agreements shuld define the services that may be subcntracted, the service prvider's due diligence prcess fr engaging and mnitring subcntractrs, and the ntificatin and apprval requirements regarding changes t the service prvider's subcntractrs. Financial institutins shuld pay special attentin t any freign subcntractrs, as infrmatin security and data privacy standards may be different in ther jurisdictins. Additinally, agreements shuld include the service prvider's prcess fr assessing the subcntractr's financial cnditin t fulfill cntractual bligatins. D. Incentive Cmpensatin Review Financial institutins shuld als ensure that an effective prcess is in place t review and apprve any incentive cmpensatin that may be embedded in service prvider cntracts, including a review f whether existing gvernance and cntrls are adequate in light f risks arising frm incentive cmpensatin arrangements. As the service prvider represents the institutin by selling prducts r services n its behalf, the institutin shuld cnsider whether the incentives prvided might encurage the service prvider t take imprudent risks. Inapprpriately structured incentives may result in reputatinal damage, increased litigatin, r ther risks t the financial institutin. An example f an inapprpriate incentive wuld be ne where variable fees r cmmissins encurage the service prvider t direct custmers t prducts with higher prfit margins withut due cnsideratin f whether such prducts are suitable fr the custmer. E. Oversight and Mnitring f Service Prviders T effectively mnitr cntractual requirements, financial institutins shuld establish acceptable perfrmance metrics that the business line r relatinship management determines t be indicative f acceptable perfrmance levels. Financial institutins shuld ensure that Page 9 f 12

12 persnnel with versight and management respnsibilities fr service prviders have the apprpriate level f expertise and stature t manage the utsurcing arrangement. The versight prcess, including the level and frequency f management reprting, shuld be risk-fcused. Higher risk service prviders may require mre frequent assessment and mnitring and may require financial institutins t designate individuals r a grup as a pint f cntact fr thse service prviders. Financial institutins shuld tailr and implement risk mitigatin plans fr higher risk service prviders that may include prcesses such as additinal reprting by the service prvider r heightened mnitring by the financial institutin. Further, mre frequent and stringent mnitring is necessary fr service prviders that exhibit perfrmance, financial, cmpliance, r cntrl cncerns. Fr lwer risk service prviders, the level f mnitring can be lessened. Financial cnditin: Financial institutins shuld have established prcedures t mnitr the financial cnditin f service prviders t evaluate their nging viability. In perfrming these assessments, financial institutins shuld review the mst recent financial statements and annual reprt with regard t utstanding cmmitments, capital strength, liquidity and perating results. If a service prvider relies significantly n subcntractrs t prvide services t financial institutins, then the service prvider's cntrls and due diligence regarding the subcntractrs shuld als be reviewed. Internal cntrls: Fr significant service prvider relatinships, financial institutins shuld assess the adequacy f the prvider's cntrl envirnment. Assessments shuld include reviewing available audits r reprts such as the American Institute f Certified Public Accuntants' Service Organizatin Cntrl 2 reprt. [Ftnte10 - If the service prvider delivers infrmatin technlgy services, the financial institutin can request the FFIEC Technlgy Service Prvider examinatin reprt frm its primary federal regulatr. Security incidents at the service prvider may als necessitate the institutin t elevate its mnitring f the service prvider. Escalatin f versight activities: Financial institutins shuld ensure that risk management prcesses include triggers t escalate versight and mnitring when service prviders are failing t meet perfrmance, cmpliance, cntrl, r viability expectatins. These prcedures shuld include mre frequent and stringent mnitring and fllw-up n identified issues, n-site cntrl reviews, and when an institutin shuld exercise its right t audit a service prvider's adherence t the terms f the agreement. Financial institutins shuld develp criteria fr engaging alternative utsurcing arrangements and terminating the service prvider cntract in the event that identified issues are nt adequately addressed in a timely manner. F. Business Cntinuity and Cntingency Cnsideratins Varius events may affect a service prvider's ability t prvide cntracted services. Fr example, services culd be disrupted by a prvider's perfrmance failure, peratinal disruptin, financial difficulty, r failure f business cntinuity and cntingency plans during peratinal Refer t Page 10 f 12

13 disruptins r natural disasters. Financial institutin cntingency plans shuld fcus n critical services prvided by service prviders and cnsider alternative arrangements in the event that a service prvider is unable t perfrm. [Ftnte1 1 - W h e n preparing cntingency plans, financial institutins shuld: Ensure that a disaster recvery and business cntinuity plan exists with regard t the cntracted services and prducts; Assess the adequacy and effectiveness f a service prvider's disaster recvery and business cntinuity plan and its alignment t their w n plan; D c u m e n t the rles and respnsibilities fr maintaining and testing the service prvider's business cntinuity and cntingency plans; Test the service prvider's business cntinuity and cntingency plans n a peridic basis t ensure adequacy and effectiveness; and Maintain an exit strategy, including a pl f cmparable service prviders, in the event that a cntracted service prvider is unable t perfrm. G. A d d i t i n a l R i s k C n s i d e r a t i n s Suspicius Activity Reprt ( S A R ) reprting functins: The cnfidentiality f suspicius activity reprting m a k e s the utsurcing f any SAR-related functin m r e cmplex. Financial institutins need t identify and mnitr the risks assciated with using service prviders t perfrm certain suspicius activity reprting functins in cmpliance with the B a n k Secrecy Act (BSA). Financial institutin m a n a g e m e n t shuld ensure they understand the risks assciated with such an arrangement and any BSA-specific guidance in this area. Freign-based service prviders: Financial institutins shuld ensure that freign-based service prviders are in cmpliance with applicable U.S. laws, regulatins, and regulatry guidance. Financial institutins m a y als want t cnsider laws and regulatins f the freignbased prvider's cuntry r regulatry authrity regarding the financial institutin's ability t perfrm n-site review f the service prvider's peratins. In additin, financial institutins shuld cnsider the authrity r ability f h m e cuntry supervisrs t gain access t the financial institutin's custmer infrmatin while examining the freign-based service prvider. Internal audit: Financial institutins shuld refer t existing guidance n the engagement f independent public accunting firms and ther utside prfessinals t perfrm w r k that has been traditinally carried ut by internal auditrs. [Ftnte1 2 - The Sarbanes-Oxley Act f Fr further guidance regarding business cntinuity planning with service prviders, refer t the FFIEC Business Cntinuity Bklet (March 2008) at Refer t SR 13-1, "Supplemental Plicy Statement n the Internal Audit Functin and Its Outsurcing," specifically the sectin titled, "Depsitry Institutins Subject t the Annual Audit and Reprting Requirements f Sectin 36 f the FDI Act" at Refer als t SR 03-5, "Amended Interagency Guidance n the Internal Audit Functin and its Outsurcing," particularly the sectin titled, "Institutins Nt Subject t Sectin 36 f the FDI Act that are Neither Public Cmpanies nr Subsidiaries f Public Cmpanies" at End f Ftnte 12.] P a g e 1 1 f 1 2

14 2002 specifically prhibits a registered public accunting firm frm perfrming certain nn-audit services fr a public cmpany client fr whm it perfrms financial statement audits. Risk management activities: Financial institutins may utsurce varius risk management activities, such as aspects f interest rate risk and mdel risk management. Financial institutins shuld require service prviders t prvide infrmatin that demnstrates develpmental evidence explaining the prduct cmpnents, design, and intended use, t determine whether the prducts and/r services are apprpriate fr the institutin's expsures and risks. [Ftnte13 - Financial institutins shuld als have standards and prcesses in place fr ensuring that service prviders ffering mdel risk management services, such as validatin, d s in a way that is cnsistent with existing mdel risk management guidance. Refer t SR 11-7, "Guidance n Mdel Risk Management" which infrms financial institutins f the imprtance and risk t the use f mdels and the supervisry expectatins that financial institutins shuld adhere t. gv/bankinfreg/srletters/sr1107.htmendfftnte13.] Page 12 f 12