CUNA Comment Letter
BITS Draft Framework on Technology Outsourcing
July 24, 2001
VIA E-MAIL: firstname.lastname@example.org
Ms. Faith Boettger
805 15th Street, N.W.
Washington, D.C. 20005
Dear Ms. Boettger:
The Credit Union National Association (CUNA) appreciates the opportunity to comment on the draft BITS Framework for Managing Information Technology (IT) Service Provider Relationships (Framework). The Framework is intended to complement regulatory guidance and financial service companies internal risk management assessment regarding technology outsourcing. As a national trade association, CUNA represents more than 90 percent of the nations 10,600 state and federal credit unions. This letter reflects the comments we have received from CUNAs Technology Council.
Summary of Our Comments
In CUNAs view, the Framework is a helpful business planning model that will provide credit unions of all sizes with guidance for sound program development concerning technology outsourcing. However, there are several modifications and additions to the Framework that we would like to recommend. The following are the modifications and additions we propose:
- The title of the document should be changed to better reflect its scope.
- It is necessary to clarify that business requirements defined in Section 2 are included in the Request For Proposal (RFP) and due diligence process; one way would be to include a sample RFP.
- The Framework should address the integration of the RFP and due diligence process with financial institutions business continuity planning.
- The Framework should provide additional details in defining the appropriate exit strategy and specifics around the role of technology service provider and receiver financial institution.
- Which parties can demand the right to audit should be clarified by defining what events or circumstances could trigger the audit and who will incur the cost of the audit.
- The Framework should address the issue of how service levels can be set effectively for new channels and complex service relationships.
- The Framework should be expanded to include the concept of performance level plans to identify processes and timeline required to get the system/service into production.
- While an annual review of third party outsourcing arrangements is crucial, it would be overly prescriptive to advise the establishment of a steering committee to perform this function.
- Ongoing relationship management should be more fully addressed, in particular as concerns future costs or rate increases.
- The guidelines should be applied flexibly so that some vendors are not inadvertently squeezed out.
Our recommendations are discussed in more detail below.
Title of Document
CUNA feels that the title of the document should be changed to better reflect its scope. We suggest the new title could be something like "Risk Management Framework for Outsourced Partnerships/Relationships" or "Framework for Choosing and Using Outsourced Technology Relationships". One part of the document that is important but is not addressed in that title is determining whether outsourcing is the right course of action. Perhaps this concept could be included in the title also.
Inclusion of Business Requirements in the RFP and Due Diligence Process
It is necessary to clarify that the business requirements defined in Section 2, Business Decision to Outsource IT Services, are included in the RFP and due diligence process. Section 2 has many key items that need to be included in the RFP; each item needs to be reviewed in detail to determine if it should be included or not. Some items such as defining the criticality of the system or service to future business plans (2.1.2) are internal; and items such as determining the technology necessary to deliver the business requirements (2.3) might be difficult to define explicitly. Therefore, we recommend the Framework note that financial institutions might want to inform the outside vendor of the institutions business requirements and have the vendor suggest technology solutions. CUNA recommends that a sample RFP be added as an Appendix and that a text section in the beginning of Section 3, Considerations for the Request for Proposal (RFP), indicate the importance of including the business elements discussed in Section 2 in the RFP.
Integration of the RFP and Due Diligence Process With Business Continuity Planning
The Framework should address the integration of the RFP and due diligence process with financial institutions business continuity planning. The Framework should advise that financial institutions determine, in advance, how service will be impacted by interruption and specify the recovery mechanisms and that these be incorporated into the RFP and due diligence process. CUNA recommends an additional comment on identification of the impact of service interruption on organizations how would the institution itself handle the outsourced application in the event of a "disaster" at the institution, not just the provider.
To be as proactive as possible, especially with online services, it is necessary to determine in the RFP and due diligence processes how either the financial institution or the vendor partner will deal with disaster recovery and business continuity. Points to consider could include: what are the partners plans if any systems fail, how do they recover operations, and what does the financial institution need to consider to remain online with the vendor partner in such situations. In other words, the Framework should bring together what is included in Section 5.11, Backup, Emergency Notification, Technology Recovery, and Business Continuity, with business continuity plans.
We feel the Framework should provide additional details in defining the appropriate exit strategy and specifics around the role of technology service provider and receiver financial institution. For example, the Framework could discuss negotiating an early warning system for third party provider merger and acquisition talks that is, requiring service providers to inform clients of pending actions, especially when a competitor may be the acquirer. In addition, depending on how critical the services are to the institution, the institution may need to develop alternate suppliers or in-house support. To the extent that personal, confidential member/customer information is being shared by the vendor partner, somewhere it should be identified who "owns" that data. Such details might be best included in an Appendix for those desiring more specifics or examples. One strategy to assist in this area is to make available a collection of documents that would provide examples or "lessons learned."
Right to Audit
The Framework should further clarify which parties can demand the right to audit the receiver financial institution, service provider, or both - by defining what events or circumstances could trigger the audit as well as who will incur the cost of the audit. There may need to be limitations to reduce financial liability for the audit. Further, regulator-imposed audit requirements would be non-negotiable. It would be a good idea for the Framework to set up headings labeled (1) Financial Institutions (2) Service Providers and (3) Both. The guidelines could then list the control procedures that need to be audited on a regular basis under the appropriate headings.
Service Levels for New Channels and Complex Service Relationships
The Framework should address the issue of how service levels can be set effectively for new channels and complex service relationships such as bill payment standards. Given the unique situation of each institution as well as the fact that standards change over time, the Framework should indicate that each institution must determine the appropriate standards for their usage requirements and set the standards that apply.
In addition, it would be useful to expand the 24x7 concept. Some service providers calculate their performance standards based on black out periods of the day. In other words, there is no negative impact if they are "down" or "offline" between midnight and 5 a.m. They have carte blanche opportunity to do anything during this timeframe. Financial institutions need to run 24 hours a day, 7 days a week. It is also important to identify the method being used to be able to compare "up time" percentages between vendors. Expanding Section 5.1, Scope of Services, in this area would be helpful.
Performance Level Plans
Section 5, Contractual, Service Level, and Insurance Considerations, and Section 7, Implementation and Conversion Plan, should be expanded to include the concept of performance level plans to identify processes and timeline required to get the system/service into production. Points to add would be: performance levels and expected timelines, measures, anticipated future capabilities as compared to anticipated volumes in business plan (i.e. scalability), acceptance testing, formal acceptance of service, and resolution of disagreements.
CUNA believes it is not necessary to expand Section 8, Ongoing Relationship Management and Changes in the Outsourced Environment, to include the concept of the financial service provider establishing a steering committee to regularly meet to review the outsourcing service and address open issues. An annual review of third party outsourcing arrangements is crucial. It is unlikely that the Service Provider is going to be willing to take the time to document unmet service level agreements. This will almost surely be the responsibility of the receiver financial service company. Creating clearly defined and measurable service level agreements that can be reviewed is the only way to ensure full compliance from the service provider; without some sort of formal review process, it is too easy to let this area go unreviewed. However, it would be overly prescriptive to advise the establishment of a steering committee to perform this function. If an institution chooses to do such a review with a "steering committee," that is fine. However, different institutions may want to handle such oversight in different ways with different working groups. That is a decision best left up to the individual financial service provider. The Framework should state that responsible group(s) should meet regularly to discuss any problems that they are having and making sure that control procedures are being followed. A key point that needs to be emphasized is the institutions technology, operations, marketing, compliance, and legal departments must all be included to conduct a thorough review of third party IT provider relationships.
Ongoing Relationship Management
One of the areas that could be of concern for credit unions as well as other financial service providers is continued vendor support. CUNA suggests the Framework note that it is prudent to try to address future costs of support or the rate of increase. Institutions should make sure that they can change the vendor that is providing the service. Otherwise, the institution could establish a relationship could be devastating if severed from a financial and/or customer perspective.
Some Vendors May Get Inadvertently Squeezed Out
CUNA is concerned that if the Framework becomes the standard, it may inadvertently squeeze out large vendors selling to small credit unions due to additional requirements the Framework would impose (revenue to cost considerations). For the same reason, small vendors may also be eliminated, although it may be appropriate if the vendor cannot provide the continuity of service required. We urge flexibility in the application of the model.
CUNA believes that with the modifications and additions recommended above, the Framework will be an extremely useful and practical document for credit unions to rely on for guidance to effectively evaluate and manage IT service provider relationships. Inclusion of a list citing where financial service companies can go for additional information and support would contribute to making the Framework an even more valuable resource.
If you have any questions regarding this letter, please contact one of us at (202) 682-4200.
Mary Mitchell Dunn
Associate General Counsel
Catherine A. Orr
Senior Regulatory Counsel