Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks
Appendix C—Outsourcing/Offshoring Risks
The following is a summary of risks that are related to the issue of outsourcing. It should be noted that of the eight risk types identified below, only the first one, country risk uniquely pertains to outsourced work to another country. All the rest pertain equally to any outsourced work whether the work is performed domestically or not.12
- Country Risk
- Assets might be confiscated by one or more governments.
- Confiscatory tax rates or assessments could be imposed.
- Employee risk-related issues.
- Reputation Risk
- Risks to earnings or capital could arise from negative public opinion.
- Arises from poor service, disruption of service, or violations of consumer law.
- Occurs when third-party interaction with bank customers is not consistent with the bank's policies or standards.
- Occurs when there is negative publicity about adverse events involving the bank.
- Operations/Transactional Risk
- Risks to earnings or capital arise from problems with service or product delivery. The lack of an effective business resumption plan and appropriate contingency plans increase transaction risk.
- Occurs when products, services, delivery channels, and processes do not fit with the bank's systems, customer demands, or strategic objectives.
- Weak control over technology used in the third-party arrangement may result in threats to security and the integrity of systems and resources.
- Can be the result of fraud or error by the third party.
- Arises from inadequate capacity, technology failure, or lack of effective business resumption and contingency planning by the third party.
- Possible risks include liquidity, interest rate, price, and foreign currency transaction risk.
- Loss of trade secrets is possible when an outsource company also does work with competitors.
- Compliance Risk
- Risk to earnings or capital arises from violations of laws or regulations or nonconformance with internal policies or ethical standards. This risk exists when the activities of a third party are not consistent with law, policies, or ethical standards of the financial institution and the financial institution's country. This risk is exacerbated by an inadequate oversight and audit function.
- Offshore vendors do not have the same privacy regulations as those that exist in the United States.
- Can be due to improper review of products, services, or systems with respect to consumer law or other regulatory compliance matters.
- Can occur if the bank's oversight program fails to include appropriate audit and control features.
- Can occur if the vendor fails to adequately protect the privacy of nonpublic customer information.
- Strategic Risk
- This is a risk to earnings or capital arising from adverse business decisions or improper implementation. The financial institution is also exposed to strategic risk when it uses a third party to perform banking functions or to offer products or services that do not help the financial institution achieve corporate strategic goals and provide an adequate return on investment.
- Occurs when banking functions or products or services are offered that are not compatible with the bank's strategic goals.
- Can occur when third-party relationships are used without fully performing due diligence reviews.
- Can occur when risk management's scope or depth is not commensurate with the activity.
- Can occur when the bank does not possess the adequate expertise to oversee the third party.
- Financial institutions face the potential for loss of trade secrets if poor controls exist when a vendor performs work for competitors in the same outsource location.
- Credit Risk
- This is a risk to earnings or capital that arise from the obligor's failure to meet the terms of any contract with the bank or to otherwise perform as agreed. The basic form of credit risk involves the financial condition of the third party itself. Appropriate monitoring of the activity of the third party is necessary to ensure that credit risk is understood and remains within board-approved limits.
- Receivables quality declines as the third party performs inadequate account management, customer service, or collection activity.
- Can occur when there is improper oversight of third parties who solicit and refer customers, conduct underwriting analysis, or set up other credit-related product programs.
- Can occur when there is inadequate financial capacity by a third party to fulfill its contract with the bank.
- Other Risks
- Personnel security.
- Network Security.
- Business continuity.
- Infrastructure (fragile, technical infrastructures that may be inordinately susceptible to physical disruptions).
- Information Security.
- Event Risk (Source: Financial Services Technology Consortium 2004).
- Disruption in Telecommunications
- Severing of lines, destruction of infrastructure, failure of a telecommunications company, capacity problems in the grid, equipment or software failure, virus attack, human error, etc.
- Disasters at a facility
- Fire, building collapse, employee violence, hazardous material transportation accident, long-term water or electrical outage, etc.
- Natural Calamity
- Hurricane, flood, tornado, earthquake, landslides, ice storms, heavy snowfall, extreme cold, etc.
- Health Restrictions
- Flu epidemic, SARS, Ebola, Aids, food poisoning, anthrax, biological weapons, plague, other infectious diseases.
- Nuclear and chemical threats
- Chemical spills and plant accidents, nuclear or chemical terrorism.
- Visa Restrictions
- Government applies a quota or limit to visas that is lower then normal, processing time increases because of background checks, increased rejection of visa applications, etc.
- Travel Restrictions/Aviation Accidents
12 Risk descriptions for numbers one through seven were derived from the FDIC, the OCC, the FRB, the OTS or the FFIEC.