IT Examiner School - Oct 2023

Internal Use Only

Service Provider Selection The Request for Proposal (RFP) should:  Describe the institution's objectives;

 The scope and nature of the work to be performed;  The expected production service levels, delivery timelines, measurement requirements, and control measures; and  The financial institution's policies for security, business continuity, and change control.  Requests for responses addressing those requirements as well as the fees each service provider will charge

9

Internal Use Only

Due Diligence

Due Diligence activities should include a review and assessment of: • Existence and corporate history • Financial Status • Strategy and Reputation • Service Delivery Capabilities, Status, and Effectiveness • Technology and Systems Architecture • Internal Controls Environment, Security History, and Audit Coverage • Legal and Regulatory Compliance • Insurance Coverage • Ability to Meet DR/BC Needs A financial institution should perform due diligence on the service provider's response to an RFP as well as the service provider itself.

10