Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks
Supervisory Regulations, Guidelines, Implications, and Approaches
Despite the relative newness of offshoring, many offshoring issues from a regulatory perspective are covered by previously released regulatory guidance regarding outsourcing. Relevant regulatory guidance is contained in releases from the Federal Financial Institutions Examination Council, the FDIC, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the National Credit Union Administration. See Appendix D for detailed listings and summaries of outsourcing-related guidance.
Lessons Learned and Best Practices
Drawing from discussions with other regulators, industry participants, data vendors, and consultants, the following is a compilation of necessary components of a well-structured risk management process for institutions that are considering the offshoring decision:
- Risk assessments must be performed to identify the financial institution's needs and requirements.
- Proper due diligence must be done to identify and select a third-party provider.
- Written contracts must be developed that fully outline duties, obligations, and responsibilities of both parties and identify the choice of which country law will prevail in the event of contract disputes.
- Contracts should include a termination provision allowing the financial institution to end outsourcing arrangements if they are not satisfied with any aspects of the performance or work product of the offshore firm upon reasonable notice and without penalty.
- Contracts with foreign-based service providers should contain a provision acknowledging the authority of the U.S. financial institution regulator to examine the provider's performance of services.
- The contract should also include a provision that enables the financial institution to terminate the contract in the event that a U.S. regulator formally objects to the particular third-party arrangement.
- There should be ongoing oversight of all third parties and third-party activities.
- There should be maintenance of effective documentation of the third-party relationship.
- An information security program compliant with Sections 501 (a) and (b) of GLBA must be followed. As such, a well-structured risk management process will protect the privacy, confidentiality, and security of customer non- public, personal information from threats including, but not limited to leaks of confidential information and unlawful transfers of personal data.
In addition, a list of recommendations and best practices primarily for ongoing programs is as follows:
- Country Risk
- Financial institutions must closely monitor foreign government policies as well as political, social, economic, and legal conditions in countries where they have a contractual relationship with a service provider.
- The risk assessment process should take into consideration relevant country risk factors and establish sound procedures for addressing country risk problems, including the development of appropriate contingency plans and exit strategies.
- Compliance Risk
- A financial institution's use of a foreign-based service provider must not inhibit its ability to comply with all applicable U.S. laws and regulations. These include requirements concerning accessibility and retention of records, such as the Bank Secrecy Act, the national sanctions and embargo programs of the U.S. Treasury's Office of Foreign Assets Control, and other relevant U.S. consumer protection laws and regulations.
- Financial institutions that use a foreign-based service provider should consider how foreign data privacy laws or regulatory requirements may interact with U.S. privacy laws and regulations and how possible conflicts can be managed.
- Due Diligence
- The due diligence process should include an evaluation of the foreign-based service provider's ability-operationally, financially, and legally-to meet the financial institution's servicing needs given the foreign jurisdiction's laws, regulatory requirements, local business practices, accounting standards, and legal environment.
- The due diligence process should also consider the parties' respective responsibilities in the event of any regulatory changes in the U.S. or the foreign country that could impede the ability of the financial institution or service provider to fulfill the contract.
- The due diligence process should provide that an appropriate monitoring and oversight system is ready for implementation by the financial institution prior to executing the contract with the service provider.
- Contracts between the financial institution and a foreign-based service provider should take into account business requirements and key factors identified during the financial institution's risk assessment and due diligence processes. In particular, financial institution management should insert contract provisions that will protect the privacy of customers and the confidentiality of financial institution records given U.S. law and the foreign jurisdiction's legal environment and regulatory requirements.
- Contracts with third-party service providers should contain a provision indicating that the provider agrees that the services it performs for a financial institution are subject to exam by U.S. Federal financial institution regulatory agencies.
- Choice of Law: Before entering into an agreement or contract with a foreign-based service provider, financial institutions should carefully consider which country's law they wish to control the relationship and then insert choice of law covenants and jurisdictional covenants that provide for resolution of all disputes between the parties under the laws of a specific jurisdiction.
- Confidentiality of Information: Financial institution management should ensure that any contract with a foreign-based third-party service provider prohibits the service provider from disclosing or using financial institution data or information for any purpose other than to carry out the contracted services.
- Local Legal Review: Contracts with foreign third-party service providers should be reviewed by counsel experienced in that country's laws to determine the enforceability of all aspects of any contract, including choice of law and jurisdictional provisions.
- Monitoring and Oversight
- As with a domestic outsourcing arrangement, financial institutions should implement an effective oversight program to monitor the foreign-based service provider's ongoing financial condition and performance.
- The financial institution must determine that the service provider maintains adequate physical and data security controls, transaction procedures, business resumption, continuity planning and testing, contingency arrangements, insurance coverage, and compliance with applicable laws and regulations.
- The financial institution should evaluate independent audit reports prepared by the service provider's audit staff, external audits and reviews (for example, "SAS 70 reviews"), and internal reports provided by the financial institution's own auditors.8
- Access to Information
- Financial Institution Access to Information: Critical data or other information related to services provided by a foreign-based third-party service provider to a financial institution must be readily available, in English, at the financial institution's U.S. office(s). Information should include copies of contracts, due diligence, oversight and audit reports, and appropriate contingency plans.
- Regulatory Access to Information: A financial institution's use of a foreign-based third-party service provider and the location of critical data and processes outside U.S. territory must not compromise the primary U.S. regulator's ability to examine the financial institution's operations.
- Supervision by U.S. Regulators
- Emphasize the responsibility of the serviced financial institution to conduct adequate due diligence, manage risks appropriately, comply with applicable laws, and ensure access to critical information with respect to the services being provided by a foreign-based third party.
- Examination focus should be on the results of the financial institution's due diligence, risk assessment, and ongoing oversight program as well as the internal and/or external audits arranged by the service provider or the financial institution.
- If warranted, the regulator may examine a financial institution's outsourcing arrangement with a foreign-based service provider. If the provider is a regulated entity, then the regulator may arrange through the appropriate foreign supervisor(s) to obtain information related to the services provided to the financial institution and, if significant risk issues emerge, to examine those services.
8 "SAS 70" refers to The American Institute of Certified Public Accountants Auditing Standards (SAS) Original Pronouncements 70: Reports on the Processing of Transactions by Service Organizations. This Statement provides guidance on the factors an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions.