Home Computer Science
Service Provider Selection
■ Evaluate service provider proposals in light of the institution’s needs, including any differences between the institution’s solicitation and the service provider proposal;
■ Perform due diligence on the prospective service providers;
■ Ensure that selection of affiliated parties as service providers is done at arms length in accordance with regulations and guidance issued by the institution’s primary regulator; and
■ Evaluate foreign-based third-party service providers in light of the guidance found in this section and in Appendix C, Foreign-Based Third-Party Service Providers.
After identifying the work to be performed and the necessary controls, a financial institution solicits responses from prospective service providers. Hie primary tool for the solicitation is the Request for Proposal (RFP). The RFP also supports subsequent contract negotiations.
Request for Proposal
A financial institution should generate the RFP from the information developed during the requirements definition phase. While the level of detail may vary for any particular procurement, the RFP should describe the institution’s objectives; the scope and nature of the work to be performed; the expected production service levels, delivery timelines, measurement requirements, and control measures; and the financial institution’s policies for security, business continuity, and change control. It also requests responses addressing those requirements as well as the fees each service provider will charge.
Once management distributes the RFPs and receives responses, it should evaluate the service provider proposals against the institution’s needs. When the institution evaluates the proposals, it may find that the proposals do not completely agree with the RFP. For example, the service the service provider proposes may include different processing workflows or reporting schemes, pricing formulas or techniques, or the response to information requests may not be complete. If the institution considers proposals that differ from the RFP, the institution should evaluate the differences against its requirements and clearly understand how the changes will affect the institution’s objectives and service expectations.
The institution should evaluate material differences using a process similar to the one used to develop the requirements initially. An institution should negotiate a resolution to any differences between the RFP and the service provider proposal before contracting with a service provider.
A financial institution should perform due diligence on the service provider’s response to an RFP as well as the service provider itself. Due diligence should serve as a verification and analysis tool, providing assurance that the service provider meets the institution’s needs. Due diligence should confirm and assess the following information regarding the service provider:
■ Existence and corporate history;
■ Qualifications, backgrounds, and reputations of company principals, including criminal background checks where appropriate;
■ Other companies using similar services from the provider that may be contacted for reference;
■ Financial status, including reviews of audited financial statements;
■ Strategy and reputation;
■ Service delivery capability, status, and effectiveness;
■ Technology and systems architecture;
■ Internal controls environment, security history, and audit coverage;
■ Legal and regulatory compliance including any complaints, litigation, or regulatory actions;
■ Reliance on and success in dealing with third party service providers;
■ Insurance coverage; and
■ Ability to meet disaster recovery and business continuity requirements.
Other important elements include probing for information on intangibles, such as the third party’s service philosophies, quality initiatives, and management style. Tire culture, values, and business styles should fit those of the financial institution. When a foreign based service provider is considered, the evaluation should assess the relationship in light of the above items as well as the information discussed in Appendix C, Foreign-Based Third-Party Service Providers.
Financial institutions may perform due diligence on one or more of the service providers that respond to the RFP. The depth and formality of the due diligence performed may vary according to the risk of the outsourced relationship, the institution’s familiarity with the prospective service providers, and the stage of the provider selection process.
Once institutions issue RFPs, receive and evaluate responses, and perform due diligence, they enter into contract negotiations with one or more of the service providers they have determined can best meet their needs.