WASHINGTON — The Federal Deposit Insurance Corp. knows that many community banks would like to go the outsourcing route for at least some of their technology needs.

The FDIC has also learned that community bankers do not want anything that looks like a new set of rules about how to handle the process. As a result, the agency will release to banks today a set of pointers – not regulations – providing information on selecting a service provider, setting up risk-mitigation contracts, and working with more than one provider.

“This is not intended to be used as an examination procedure. You can take them or leave them, although we certainly hope you take them,” said Cynthia Bonnette, the assistant director of the FDIC’s bank technology group.

The FDIC developed the pamphlets because it believes community banks need more hand-holding than large banks in managing the risks involved with technology outsourcing. It and other regulators issued general guidance on the subject last fall, but that three-page “white paper” was aimed at thrifts, banks, and credit unions of all sizes.

Ms. Bonnette said the agency felt more detailed instruction was needed since community banks do not have the same negotiating power as large banks and few small banks have technology experts on staff.

Bank and thrift trade groups worked with the FDIC in developing the pamphlets, which range from 10 to 15 pages each. Viveca Y. Ware, the director of payment systems for the Independent Community Bankers Association, said the guidance will be “extremely helpful,” especially at institutions that do not have divisions dedicated to managing outsourcing.

“This is really going to help community banks home in on areas that are important to their outsourcing relationship,” she said.

Technology vendors have also reviewed the pamphlets, and Ms. Bonnette said they found the recommendations useful because they now have a better understanding of what banks — and regulators — want. Regulators have no formal examination process for vendors, but they will conduct reviews on a case-by-case basis.

Ms. Bonnette said bankers “have to be more diligent in educating vendors and specify what they need and what they expect, because vendors won’t necessarily know.”

The FDIC developed the brochures after talking with examiners, consultants, and bankers and visiting nine banks across the country to see how outsourcing worked firsthand. Pamphlet 1 gives the basics and includes examples of requests for proposal and service agreements.

Doug Johnson, a senior policy analyst for the American Bankers Association, said the pamphlets are “written in a language that is not too technical. I think for community banks it will provide a basic parameter and things to consider when outsourcing.”

Pamphlet 1 also recommends steps to take before drawing up a service agreement, including determining objectives, defining requirements, setting measurements, and establishing accountability. It also notes the importance of feedback from the third-party provider and a periodic review of the agreement.

The second pamphlet suggests selecting a provider through a scoring system that a bank can apply to each bid. The FDIC also notes that direct communication with the providers is essential — in face-to-face meetings, for instance.

The third pamphlet features tips on coping with more than one service provider. These include using a lead contractor to supervise the other contractor and having the bank oversee operation agreements with all the providers. The FDIC lays out the pros and cons of each approach.

The pamphlets went through many revisions and at one point were in the form of standard FDIC white papers. At a forum arranged by the agency in March, bankers and trade group representatives objected to the white-paper format, saying it had the wrong tone, Ms. Ware said.

Rob Drozdowski, a senior regulatory specialist for Americas Community Bankers, said some language was changed to make the guidelines seem less like orders. For instance, “should” became “may find useful.”

Ms. Bonnette said the FDIC may issue additional pamphlets on other areas of third-party technology. Trade groups say that would be a good idea.

“Hopefully,” Mr. Drozdowski said, “they will continue this and come up with more guidelines and eventually create a comprehensive guide on information security programs.”


Related Content Online

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.