Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > Regulation & Examinations > Bank Examinations > Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks

Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks

Appendix A—Most Widely-Used Offshoring Locations

This appendix provides analysis of the legal privacy foundations of countries that are the most likely choices for offshore locations. Not done independently but taken from current offshoring and privacy-related publications, this analysis is not intended to be definitive with respect to the ability of each country's legal system to handle potential privacy disputes. We note, however, that none of the countries currently have privacy laws equivalent to those of the European Union or the United States, and, therefore, as discussed previously, we recommend that financial institutions take care to analyze choice of law issues.

No general data protection law exists, although some limited provisions exist in regulations that support statutes dealing with consumer protection and the prevention of terrorism. Under the Information Technology Act of 2000, "hacking"11 entails imprisonment up to three years. In 1998, a national information technology (IT) task force recommended that the government should draft and pass regulations based on the United Kingdom Data Protection Act that are designed to oversee the handling of computerized data. That law, which is being drafted by the Ministry of Information Technology and the National Association of Software and Service Companies (NASSCOM), has yet to be enacted.

General characteristics:

  • Very strong information technology (IT) and outsourcing industries are already in place.
  • Poor national infrastructure.
  • Generally low-cost base.
  • Bangalore and Mumbai (formerly Bombay) are India's premier IT locations, but each has recently seen double-digit labor wage increases.
  • Mumbai is India's major financial market; however, it suffers from high real estate costs, congestion, and pollution.
  • Strong English language skills

No general data protection law exists. The freedom and privacy of network users is protected by law. Very few laws limit government interference with the collection, use, and disclosure of personal information.

General characteristics:

  • Recently admitted to the World Trade Organization.
  • Bureaucracy of non-democratic government can be a hindrance.
  • Large labor pool, but language barriers exist.

No general data protection law exists, although the Information Technology and E-Commerce Council recently proposed a data privacy law expected to adhere to European Union standards of data privacy. The Electronic Commerce Act of 2000 mandates a minimum fine and prison term of six months to three years for unlawful and unauthorized access to computer systems. Bank records are protected by the Bank Secrecy Act and the Secrecy of Bank Deposits Act.

General characteristics:

  • Excellent English-speaking and high-tech skills.
  • Low-cost base with moderate infrastructure.
  • Potential for political instability with risks to foreign nationals.
  • The skilled labor often seeks employment abroad.

No general data protection law exists, and there is only a small division within the Ministry of Finance responsible for privacy and data protection. In 2002, the National Internet Advisory Committee released a draft "Model Data Protection Code for the Private Sector" that incorporates internationally recognized standards. The Code is available for self-regulatory adoption by the private sector. Privacy legislation has been under consideration for over a dozen years. The Banking Act prohibits disclosure of financial information without the permission of the customer.

General characteristics:

  • Very strong financial services skills.
  • Excellent infrastructure.
  • High salaries and real estate costs.

The main statute is the Privacy Act of 1988, which created eleven Information Privacy Principles that are based on those in guidelines issued by the multinational Organization for Economic Cooperation and Development. The fourth of these eleven principles relates to storage and security of personal information.

In 2001, the private-sector amendments to the Privacy Act became operative. The new provisions provide for ten National Privacy Principles (NPP). Under the fourth NPP, an organization must take "reasonable steps" to protect the personal information it holds from misuse and loss and from unauthorized access, modification, or disclosure. There have been criticisms over the general descriptions of the ten NPPs and their enforcement, for example, over the fact that privacy complaints are handled initially by an industry-appointed authority.

General characteristics:

  • Very strong financial services skills and availability.
  • Costs are high relative to most of region.
  • Very strong infrastructure.

No general data protection law exists, and there is no data protection agency. The Communications and Multimedia Act of 1988 contains a number of provisions on privacy, including a prohibition on unlawful interception of communications. The Banking and Financial Institutions Act of 1989 contains provisions on privacy with respect to banking information. The Ministry of Energy, Communications, and Multimedia is currently drafting the Personal Data Protection Act, a more comprehensive statute covering the collection, possession, processing, and use of and security of personal data.

General characteristics:

  • Promising new technology corridor and government IT focus.
  • Fair levels of infrastructures relative to Asia.
  • Low cost of labor and real estate.

South Africa
No general data protection law exists. In 2002, the Law Commission began a project to draft a general national Privacy Act. Also in 2002, the Electronic Communications and Transaction Act was enacted. The Act contains statutory provisions on cyber crime including unauthorized access to data, the interception of or interference with data, and hacking. Personal privacy provisions have been deferred until the passage of the Privacy Act. Therefore, privacy protection currently relies on voluntary adoption by data collectors. Financial privacy is similarly covered by a code of conduct for banks issued by the Banking Council.

General characteristics:

  • Very low real estate prices and low labor costs.
  • Possess some specific industry skills.

Additional Sources for Country Risk Information
Table 1 lists different sources for country risk information. Additionally, the Office of Foreign Assets Control of the U.S. Department of the Treasury administers and enforces economic and trade sanctions against targeted foreign countries, organizations sponsoring terrorism, and international narcotics traffickers.

Table 1: Sources for Country Risk Information
  Country Risks
  Political Economic Transfer Sovereign Default Bond Ceilings Bank Deposit Ceilings Business Environment General Country Risk
Control Risks Group Y              
OECD*     Y          
Fitch       Y Y      
Moody's       Y Y Y    
S&P       Y        
Business Monitor International Y Y         Y Y
Coface               Y
World Markets Research Centre Y Y         Y Y
Economist Intelligence Unit Y Y Y         Y
AM Best               Y
PRS International Country Risk Guide Y Y Y         Y
Selected Risk Descriptions
Political Government stability, socioeconomic conditions, conflict, ethnic tensions, democratic accountability
Economic Growth, inflation, budget balance, current account balance
Transfer Foreign debt/GDP, debt service/exports, current account/exports, exchange rate stability
Business Environment Infrastructure, corruption, bureaucracy, legal framework, property rights, tax regime, capital markets, investment rules
Source: FDIC. Developed as of April 2004 from recent publications and data suppliers.


11 The Information Technology Act of 2000 defines someone who commits hacking as "Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person, destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means..."

Last Updated 6/08/04

Skip Footer back to content