CUNA Regulatory Comment Call


October 14, 2003

BITS Framework on Outsourcing Technology

EXECUTIVE SUMMARY

SUMMARY OF THE PROPOSED REVISED GUIDANCE

GENERAL OVERVIEW OF THE FRAMEWORK

The Framework is divided into the following 9 sections:

DISASTER RECOVERY/BUSINESS CONTINUITY PLANNING

SECURITY AUDITS AND ASSESSMENTS

ONGOING RELATIONSHIP MANAGEMENT

CROSS-BORDER OUTSOURCING CONSIDERATIONS

COMPARISON OF BITS FRAMEWORK WITH NCUA GUIDELINES

Finally, Appendix 2 (Framework Map to Federal Banking Agency Guidelines) now has an added section concerning how NCUA’s Letter to Credit Unions Regarding Due Diligence Over Third Party Service Providers (No. 01- CU-20) compares with the various sections of the Framework. The Letter to Credit Unions can be found on NCUA’s website at http://www.ncua.gov/letters/2001/01-CU-20.pdf.

QUESTIONS ON THE PROPOSED REVISED FRAMEWORK

  1. Do you agree with the requirements for risk analysis, recovery objectives, planning, testing, event management, governance and insurance in the Disaster Recovery and Business Continuity Matrix?

    Yes ______ No ______

    If not, which requirements should be added/deleted?














  2. Do you agree with the high level expectations for security providers that deal with the protection of the financial institution’s information and security assets?

    Yes ______ No ______

    If not, why not?














  3. Are there issues that have been overlooked in the enhanced Section 8 regarding ongoing vendor relationship management that you feel should be included?

    Yes ______ No ______

    If so, what specific points would you like to see included?














  4. Should Section 8 be expanded to include the concept of the institution establishing a Steering Committee to regularly meet to review the outsourcing service and address open issues?

    If so, what points about the Steering Committee should be emphasized?














  5. Are there additional letters or other guidance issued by NCUA that you believe should be included in Appendix 2: Framework Map to Federal Banking Agency Guidelines?

    Yes ______ No ______

    If so, what additional NCUA guidance should be included in the appendix?














  6. Are there concerns or processes with regard to credit union technology outsourcing that you believe still need to be addressed in the Framework?

    Yes ______ No ______

    If so, what are those concerns or processes?














  7. Other comments?














Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com