Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks
The following are preliminary recommendations formulated by the staff in conducting this review of offshore outsourcing:
- Encourage Identification of Undisclosed Third-Party Contracting Arrangements
Undisclosed third-party contracting arrangements may increase risk in outsourcing relationships. This potential increase in risk occurs regardless of whether the undisclosed third party resides domestically or offshore; however, inherent outsourcing risks may be amplified due to unique country risk when the third party is an offshore vendor. Our recommendation is that financial institutions that outsource data to domestic vendors should be aware when domestic vendors have in turn subcontracted out that same work to overseas or domestic third parties. This practice has not always been the case; the May 2004 edition of the American Bankers Association's Banking Journal discusses an instance where subcontracting to an offshore vendor occurred without the knowledge of the financial institution.9 It is currently standard FFIEC examination procedure for examiners to review outsourcing arrangements during examinations.10 Part of a standardized procedure should include:
- Identifying and reviewing contracts between financial institutions and data service providers that allow for subcontracting or subsequent outsourcing to occur;
- Determining whether subsequent outsourcing has in fact occurred as indicated in the contract or outside the terms of the contract;
- Determining if the financial institution is aware of the subsequent outsourcing and the location of the outsourcing; and
- Determining if the financial institution has procedures for monitoring all outsourcing arrangements to ensure adequate controls are in place or the service provider has proper procedures and controls to monitor their outsourcing arrangements.
- Consider Enhancing Bank Service Company Act (BSCA) Retention Procedures through Creation of a Central Database
To assist in measuring and monitoring the systemic risk posed by foreign technology service providers, the Federal financial institution regulators should consider enhancing their BSCA retention procedures. Section 7(c)(2) of the BSCA states that any regulated financial institution that has services performed by a third party "shall notify such (appropriate Federal banking agency) of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first." Currently those notices are not aggregated in a central location. The agencies should conduct a cost/benefit analysis of establishing one shared, central repository of institution notices of outsourcing arrangements for use in analysis, monitoring, and tracking by the Federal Financial Institutions Examination Council.
9 Steve Cocheo, "Global Think? Or Job Shrink?" ABA Banking Journal , May 2004.
10 1996 FFIEC IS Examination Handbook.