Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks
Federal Deposit Insurance Corporation-June 2004
This study presents the FDIC's findings with regard to the associated risks of offshore outsourcing (also known as "offshoring") by financial institutions from a safety and soundness perspective and with particular emphasis on the threats posed to customer privacy.
Executive Summary and Recommendations
Offshore Outsourcing or "Offshoring," a New Twist on a Traditional Outsourcing Model
Traditional outsourcing to domestic third-party service providers or domestic affiliates has been done by financial institutions in the United States for many years. However, the use of offshore contractors has grown dramatically in the past few years due to the flexibility offered by new information technology (IT) and the prospect of lower costs. At the same time, consumers have become more concerned about privacy, and the abuse of personal data has increased as instances of fraud, such as identity theft, have become commonplace.
The rapid increase in offshoring by many U.S. financial institutions and their data vendors is due in large part to the potential cost savings that are achievable as low-wage labor pools are tapped in foreign countries. Deloitte Consulting, LLP estimates that financial institutions that offshore achieve average cost savings of 39 percent, with one in four institutions surveyed achieving savings of more than 50 percent. Typically, financial institutions offshore non-core job functions, such as IT (specifically, software development and maintenance), administration, human resources, contact centers, call centers, and telemarketing.
Deloitte estimates that $356 billion, or 15 percent, of the financial service industry's current cost base is expected to move offshore within the next five years. Further, the range and number of offshored job functions within individual institutions is expected to increase, with the average number growing from two to four functions per institution. In particular, the traditional focus on IT alone, which accounts for 70 percent of current offshore activity, will change to a business-process emphasis. Competitive pressures are the primary motivator for financial institutions to move higher-risk functions offshore.
Domestic outsourcing and offshoring share most risk characteristics. However, the more complicated chain of control incurred when offshoring financial services and related data may create new risks when compared to domestic outsourcing. Offshoring also introduces an element of country risk to the outsourcing process. In particular, geographic distance from the function and timing lags in reporting heighten the potential risk exposures. Significant offshoring risk areas include:
- Country Risk: political, socio-economic, or other factors may amplify any of the traditional outsourcing risks, including those listed below.
- Operations/Transaction Risk: weak controls may affect customer privacy.
- Compliance Risk: offshore vendors may not have adequate privacy regulations.
- Strategic Risk: different country laws may not protect "trade secrets."
- Credit Risk: a vendor may not be able to fulfill its contract due to financial losses.
Raised by Offshoring Few legal restrictions exist on financial service companies sending customer data to foreign countries. Financial institution customers may not opt out of these information transfers to nonaffiliated service providers if the transfer is for a purpose described in section 502(e) of the Gramm-Leach-Bliley Act (GLBA). For example, the opportunity to opt out does not apply where the information transfer is to: (1) service or process a financial product or service that the customer requested or authorized; or (2) maintain or service the customer's account.
However, GLBA does provide important protections that cover both domestic and offshore outsourcing. GLBA establishes affirmative and continuing obligations for financial institutions to respect customer privacy and protect customer personal information against reasonably foreseeable internal or external threats to its security, confidentiality, and integrity. The Federal Banking Agencies have extended these obligations to include the monitoring of the activities of those service providers to which financial institutions transfer customer information.
Privacy risks vary by job type. For instance, relatively lower-risk activities include computer source-coding or application development and maintenance, whereas higher-risk activities include any function using personal data, such as call centers or transaction processing. At present, financial institutions are primarily offshoring low-risk IT work in addition to higher-risk, customer data-base type work, including mortgage servicing and customer-assistance/help-desk services.
Recommendations Arising from this Study
- Encourage Identification of Undisclosed Third-Party Contracting Arrangements:
Undisclosed third-party contracting arrangements may increase risk in outsourcing relationships. This potential increase in risk occurs regardless of whether the undisclosed third party resides domestically or offshore; however, inherent outsourcing risks may be amplified due to unique country risk when the third party is an offshore vendor. Our recommendation is that financial institutions that outsource data to domestic vendors should be aware when domestic vendors have in turn subcontracted out that same work to overseas or domestic third parties. This practice has not always been the case; the May 2004 edition of the American Bankers Association's Banking Journal discusses an instance where subcontracting to an offshore vendor occurred without the knowledge of the financial institution.1 It is currently standard FFIEC examination procedure for examiners to review outsourcing arrangements during examinations.2 Part of a standardized procedure should include:
- Identifying and reviewing contracts between financial institutions and data service providers that allow for subcontracting or subsequent outsourcing to occur;
- Determining whether subsequent outsourcing has in fact occurred as indicated in the contract or outside the terms of the contract;
- Determining if the financial institution is aware of the subsequent outsourcing and the location of the outsourcing; and
- Determining if the financial institution has procedures for monitoring all outsourcing arrangements to ensure adequate controls are in place or the service provider has proper procedures and controls to monitor their outsourcing arrangements.
- Consider Enhancing Bank Service Company Act (BSCA) Retention Procedures through Creation of a Central Database:
To assist in measuring and monitoring the systemic risk posed by foreign technology service providers, the Federal financial institution regulators should consider enhancing their BSCA retention procedures. Section 7(c)(2) of the BSCA states that any regulated financial institution that has services performed by a third party "shall notify such (appropriate Federal banking agency) of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first." Currently those notices are not aggregated in a central location. The agencies should conduct a cost/benefit analysis of establishing one shared, central repository of institution notices of outsourcing arrangements for use in analysis, monitoring, and tracking by the Federal Financial Institutions Examination Council.