Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.

Foreign-Based Third-Party Service Providers Guidance on Managing Risks in These Outsourcing Relationships

Information Technology / Cybersecurity
June 21, 2006


Summary: The FDIC has prepared the attached guidance to address the risks inherent in outsourcing relationships between U.S. financial institutions and foreign-based third-party service providers. The guidance provides steps that institutions should take to successfully manage such risks.

Highlights:
  • Financial institutions that have outsourcing relationships with third-party service providers face reputational, operational/transactional, compliance and strategic risks.
  • When the third-party service provider resides or performs contractual work outside of the United States, an additional element of risk – "country risk" – is introduced.
  • Financial institutions have the opportunity to enter into contractual arrangements with foreign-based third-party service providers with increasing frequency to handle such services as technology and data processing.
  • U.S.-based third-party service providers are subcontracting substantial portions of their work to entities located outside of the United States. Many financial institutions may be unaware of these subcontracting arrangements or not adequately monitoring these relationships.
  • Prior to selecting a third-party service provider, financial institutions should complete thorough due diligence.
  • The financial institution's management should identify any undisclosed foreign-based subcontracting arrangements prior to entering into a contract with a foreign-based third-party service provider.
  • Contracts with a third-party service provider should be written to protect the financial institution's interests.
  • After the contract is signed, management should continually monitor the condition of the foreign-based third-party service provider and the country in which it is located.

Distribution:
FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:
Board of Directors
Chief Executive Officer
Executive Officers

Note:
FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/financial-institution-letters/2006/index.html .

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html .

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or 703-562-2200).


Additional Related Topics:

  • Technology Outsourcing (see FIL-81-2000)
FIL-52-2006
Attachment(s)
Guidance for Financial Institutions on the Use of Foreign-Based Third-Party Service Providers
Contact(s)
William H. Henley, Jr, (202) 898-6513

Last Updated: June 21, 2006