March 15, 2019
In 2013, the Board of Governors of the Federal Reserve System (FRB) issued the Supervisory Letter SR 13-19: Guidance on Managing Outsourcing Risk, which in conjunction with the FFIEC’s Outsourcing and Technology Services Booklet, aims at assisting financial institutions in developing secure Vendor Risk Management programs to mitigate risks associated with third-party service providers.
What is the SR 13-19 really, and what do you need to know? We sat down, tore into it, and put together this series to explain exactly what it means for your Legal Department and your Law Firms.
As the use and prevalence of technology have expanded, so have the quantity and specificity of data security regulations. The Financial (and Legal!) industry has seen a particular spike in regulatory attention over the past decade, as it’s particularly prone to both internal data fraud and external cybercrime threats, incidents which often result in significant losses to customers and investors, as well as potential shocks to markets.
Stories of data breaches where clients, vendors, and legal information were put at risk are increasingly prevalent, but there are some business sectors that have embraced risk management and are blazing the path for better information security. The financial industry is one of the frontier industries in risk management, particularly Outsourcing Risk.
The FRB SR 13-19 was developed in part as a supplement to the FFIEC’s Outsourcing and Technology Services Booklet, and beyond providing definitions, clarifications, and requirements for effective vendor risk management, it is known for its extensive list of Risk Considerations (introducing Concentration Risk), and its thorough breakdown of Contract Provisions. We'll explore these later in our series, but for now, here are some fast facts:
- Who Issued it? United States Board of Governors of the Federal Reserve System (FRB)
- When? December 5, 2013
- What Did they Issue? Supervision/Regulation Letter (SR): Guidance on Managing Outsourcing Risk. (It is also referred to as CA 13-21 in California).
- Why? To assist financial institutions in understanding and managing the risks associated with outsourcing a bank activity to a service provider to perform that activity.
- Who Does it Apply To? All financial institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets.
- Mandatory? Yes.
- When is it Required? This is dependent on the size and type of financial institution you are! Contact the FRB for more details.
- Any Cross References?
FFIEC Outsourcing and Technology Services Booklet
FRB SR 11-7: Guidance on Model Risk Management
If you have some time, we recommend giving it a read, but make sure to keep up with us to learn more about the SR-13-19 in the context of your Legal Department, Legal Vendors, and Outside Counsel by reading our series or reaching out to us here.