Home > Regulation & Examinations > Bank Examinations > Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks
Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks
Offshoring Business Models and Risks
Offshoring Business Models
Captive Direct - In the captive-direct offshoring form, financial institutions use their own organizations in lower-cost, offshore locations, known as captive centers. Because captive centers require a sizeable up-front investment, only larger institutions have the necessary resources to use this form. In theory, captive-direct offshoring poses lesser risks to an organization than any of the other forms, because dedicated management from the parent company directly oversees the offshore operations. Companies such as ABN Amro, American Express, General Electric, JP Morgan Chase, Mellon Financial, Standard Chartered, and Citibank have wholly-owned captive centers in India and other countries.
Joint Venture - This form of offshoring occurs when domestic institutions partner with a foreign entity for shared control of foreign operations. In general, because control is shared with the foreign enterprise, this method of offshoring has higher risk potential than the wholly-owned, foreign, captive-direct form. Still, because of ability to exercise control through majority ownership of the venture (or partial control with a 50 percent or less share of ownership), this form, in general, has less risk associated with it than the direct and indirect third-party contracting forms described below.
Direct Third Party - In the direct third-party form, institutions outsource operations to a third-party vendor located offshore. Institutions such as Bank of America, Deutsche Bank, and Merrill Lynch have established direct third-party arrangements with vendors in India. Because financial institutions have no ownership authority in this form, their controls over this working arrangement are limited to the contract terms agreed to with the third-party vendor, thereby making this form potentially more risky than either the captive or joint venture forms.
Indirect Third Party - The indirect third-party form of offshoring typically occurs when a domestic financial institution enters into a contract with a domestic data vendor, who then subcontracts out all or a part of the work to an offshore company. (Typical data vendor contracts often contain provisions that allow for subsequent subcontracting of work. See Appendix B.) As a result, data can be sent overseas at the discretion of the domestic third-party vendor without further notification to the domestic financial institution. This offshoring form has the highest associated risk and potential for breaches of privacy rules, because controls may not exist to preserve the integrity of customer and bank data.
Country Risk - Includes the political infrastructure, socio-economic conditions, and related issues pertaining to a particular country and how a change in any of these might affect the ability of an offshore third party to fulfill their contract obligations. This type of risk could also be influenced by the relationship between the U.S. and the host-country bank supervisor and the concern that the current relationship can always change in the future.
Some specific areas with potential for offshore fraud were identified in the course of this study. It is worth noting that these examples of potential fraud could as well occur domestically as offshore. Still, institutions need to be aware of the potential for heightened exposures that exist for these riskier activities. Beyond just the risk for loss of data privacy, the risk of funds diversion exists because of the nature of the information being handled by subcontractors. Some examples, identified by data service providers we spoke with include:
Staff compiling this study were also informed by one data vendor that a specific form of country risk exists in the case of foreign organized crime activities. These criminal elements reportedly have targeted foreign offshore enterprises in attempts to gain access to the data they process. Reportedly, one foreign organized crime group has attempted to buy existing call centers, set up their own call centers and tried to bribe workers to gain access to data and information.
Reputation Risk - Is the risk to earnings or capital arising from negative public opinion. This affects an institution's ability to establish new relationships or services or to continue servicing existing relationships. This risk is present in activities such as outsourcing and particularly in the offshore-outsourcing of work.
Operations/Transactional Risk - Includes the risk to earnings or capital that arises from problems with service or product delivery. The lack of an effective business resumption plan and appropriate contingency plans increase transaction risk.
Compliance Risk - Is the risk to earnings or capital that arises from violations of laws or regulations or nonconformance with internal policies or ethical standards. This risk exists when the activities of a third party are not consistent with the law, policies, or ethical standards of the financial institution. Also, the risk is exacerbated by an inadequate oversight and audit function.
Strategic Risk - Is the risk to earnings or capital that may arise from adverse business decisions or improper implementation. The use of a third party to perform banking functions or to offer products or services that do not help the financial institution achieve corporate strategic goals and provide an adequate return on investment expose the financial institution to strategic risk.
Credit Risk - Is the risk to earnings or capital that arise from the obligor's failure to meet the terms of any contract with the financial institution or to otherwise perform as agreed. The basic form of credit risk involves the financial condition of the third party itself. Appropriate monitoring by the financial institution of the third party's activity is necessary to ensure that credit risk is understood and remains within board-approved limits.
Consumer Privacy and Other Operational Risks Will Vary By Institution, Business Model, and Type of Function That Is Offshored
Specific risk exposures may include problems related to inadequate contractual provisions governing control, security, and audit responsibilities. Various employee-risk issues differ significantly in different offshore arrangements. For instance, background checks of employees involving credit-bureau information, criminal records, or even drug testing results are standard requirements in the United States. The ability to obtain the same types of reviews in many other countries is questionable.
Financial institutions may also have intrinsic characteristics that mitigate risk. Some institutions may have previous experience working in a particular country. Multinational financial institutions may already have offices in the country where offshoring takes place, providing better access to legal, operational, and managerial expertise. Also, the location of sensitive data affects an institution's risk exposure. Data that is physically located at a U.S. facility, even if it is accessed by overseas vendors, may provide greater control over security.
As illustrated in Chart 3 the principal offshoring business models hold varying amounts of risk.
Chart 3: Forms of Offshoring and Their Associated Risks
Also, privacy risks vary by job type. For instance, relatively lower-risk activities include computer source-coding or application development and maintenance; whereas higher-risk activities include any function using personal data, such as call centers or transaction processing.7 At present, financial institutions offshore IT work in addition to higher-risk, customer data-based type work including mortgage servicing and customer-assistance/help-desk services.
Protections for Customer Information Sent Offshore
However, GLBA does provide important protections that cover both domestic and offshore outsourcing. GLBA establishes affirmative and continuing obligations for financial institutions to respect customer privacy and protect customer personal information against reasonably foreseeable internal or external threats to its security, confidentiality, and integrity. The Federal Banking Agencies (FBAs) have extended these obligations to include the monitoring of the activities of those service providers to which financial institutions transfer customer information.
§ 501(a): It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.
§ 501(b): In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards.
The FBAs issued identical Guidelines pursuant to § 501(b). Those Guidelines provide that each financial institution shall: (1) exercise appropriate due diligence in selecting service providers; (2) require them by contract to implement appropriate measures designed to meet the objectives of the Guidelines; and (3) where indicated based upon the institution's risk assessment, monitor the service providers to confirm that they implement the procedures required by the Guidelines. 12 CFR 364.101, App. B ¶ III.D.
Responsibilities of Directors and Officers
7 Even relatively lower-risk activities such as source-coding or software development may pose operations risks and threats to privacy of data should offshore, contract programmers operate with malicious intent.
|Last Updated firstname.lastname@example.org|