Federal Financial Institutions Examination Council Issues Guidance for Managing Open Source Risks

The acceptance and use of Open Source software continues to increase at a rapid pace. Its use in the financial services industry is no exception. Open Source software provides numerous benefits, but poses some risks as well. The Federal Financial Institutions Examination Council (FFIEC)¹ recently published guidance on the need for effective risk management practices relating to the use of free and open source software (FOSS). The purpose of the guidance was to educate financial institutions about certain risks associated with FOSS and the need to consider and proactively manage risks associated with FOSS.

The FFIEC opines that the use of FOSS poses many risks similar to those of proprietary software, but cautions institutions that FOSS necessitates implementation of "unique risk management practices." It categorizes the risks and risk management issues into three categories – strategic, operational and legal. Of these, the legal issues are most distinct from proprietary software and requires the most additional risk management.

This article provides a summary of the FFIEC’s guidance and additional information about the use of FOSS.

The FFIEC IT Examination Handbook, "Development and Acquisition Booklet," recommends that financial firms and technology providers maintain effective security programs that are tailored to the complexity of their operations. This new advisory on FOSS supplements the handbook, by addressing strategic, operational, and legal risk considerations in acquiring and using FOSS.

With respect to strategic issues, the FFIEC suggests that institutions assume that they will control neither the direction nor the quality of work performed in connection with a specific FOSS product. In this context, code customization, compatibility and interoperability, product maturity, forking (i.e., product development taking a path that is inconsistent with the direction elected by the institution), and systems integration and support present distinct risks. The FFIEC suggests that institutions test customized code to "ensure performance and the maintenance of confidentiality, integrity, and availability of systems and data." The institutions are also advised to consider their technical and legal ability to modify and maintain the code.

As to the other strategic risks, the FFIEC notes that an institution may need to ensure that adequate support is available for FOSS either in-house, through vendors or other outside sources. It warns that more of the total cost of ownership may become the responsibility of the institution. In particular, in-house personnel may need training to perform support, maintenance and upgrade services, as well as contingency planning. Further, resources that are not provided organically will need to be outsourced. Therefore, although it is possible for institutions to deploy FOSS without paying license fees, this does not mean the software is "free" in the sense that there are no costs associated with its installation, maintenance, support and training. The advisory cautions that FOSS may ultimately become more expensive than other proprietary products, and warns institutions to analyze potentially hidden costs as part of their strategic information systems planning.

The operational risks of FOSS addressed by the FFIEC, include code integrity, contingency planning and support, and the degree to which FOSS meets documentation standards. In order to mitigate these operational risks, the FFIEC again advises institutions to ensure that adequate support is available for FOSS in-house or through reputable vendors. The FFIEC notes that appropriate pre-testing and evaluation of code integrity is essential before introducing FOSS into a live environment. It advises institutions to develop standards and adopt appropriate procedures to ensure that they are acquiring the source code from a trustworthy source. The FFIEC also advises institutions to "verify the integrity" of the code, software updates, and patches they receive. The FFIEC further recommends that institutions develop viable exit strategies and alternatives to replace mission critical FOSS applications should the need arise. As a further caution, the FFIEC advises institutions to make every effort to avoid acquiring "dead-end software" which has been abandoned by the relevant support community.

With respect to legal issues related to FOSS, the FFIEC emphasizes the risk of problems encountered in licensing, indemnification, warranties, and infringement. The acquisition and use of FOSS may be governed by several different non-negotiable licenses, having significantly different terms, rights, and remedies. It is important to know and observe the differing terms.

Additionally, the FFIEC cautions that the most significant concern presented by FOSS licenses is that they generally do not include any warranties regarding performance, integration capabilities, or infringement indemnification. In response to these concerns, vendors have begun to market select FOSS products using "dual licenses" which include not only the applicable FOSS license terms but additional representations and warranties directly from the vendors. Such arrangements, warns the FFIEC, require close scrutiny and may warrant the consideration of third-party insurance.

Although not specifically addressed by the FFIEC, some recent studies have suggested that the Total Cost of Ownership (TCO) for FOSS is comparable to that of proprietary software. Of course, some other studies dispute this.

As to intellectual property infringement, the FFIEC indicates that there is a somewhat higher risk, compared to proprietary software, that FOSS violates third-party intellectual property rights. These risks include both patent and copyright infringement. Making matters worse, FOSS users receive no contract protection (e.g., warranty or indemnification) for this higher risk. In theory, any programmer can add infringing code to FOSS because it is developed in an open environment. Moreover, most providers of FOSS do not offer the warranty protections customarily given for commercial products. As a result, the higher risk of infringement, and the consequent exposure to injunctions and damages, rest entirely on the FOSS user.

FOSS has many advantages to the financial services sector. However, it also necessitates unique risk management practices, particularly in the legal arena. Is FOSS right for your organization? Or might it create a legal morass?

If you would like to receive additional advisories about open source software or additional information about the risk management practices that should be used in conjunction with the use of free and open source software, please contact James G. Gatto, Rick A. Toering or Monica B. Lateef.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.