Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks

Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks - PDF 238k (PDF Help)

Federal Deposit Insurance Corporation-June 2004

This study presents the FDIC's findings with regard to the associated risks of offshore outsourcing (also known as "offshoring") by financial institutions from a safety and soundness perspective and with particular emphasis on the threats posed to customer privacy.

Executive Summary and Recommendations

Offshore Outsourcing or "Offshoring," a New Twist on a Traditional Outsourcing Model

Traditional outsourcing to domestic third-party service providers or domestic affiliates has been done by financial institutions in the United States for many years. However, the use of offshore contractors has grown dramatically in the past few years due to the flexibility offered by new information technology (IT) and the prospect of lower costs. At the same time, consumers have become more concerned about privacy, and the abuse of personal data has increased as instances of fraud, such as identity theft, have become commonplace.

Offshoring Background

The rapid increase in offshoring by many U.S. financial institutions and their data vendors is due in large part to the potential cost savings that are achievable as low-wage labor pools are tapped in foreign countries. Deloitte Consulting, LLP estimates that financial institutions that offshore achieve average cost savings of 39 percent, with one in four institutions surveyed achieving savings of more than 50 percent. Typically, financial institutions offshore non-core job functions, such as IT (specifically, software development and maintenance), administration, human resources, contact centers, call centers, and telemarketing.

Deloitte estimates that $356 billion, or 15 percent, of the financial service industry's current cost base is expected to move offshore within the next five years. Further, the range and number of offshored job functions within individual institutions is expected to increase, with the average number growing from two to four functions per institution. In particular, the traditional focus on IT alone, which accounts for 70 percent of current offshore activity, will change to a business-process emphasis. Competitive pressures are the primary motivator for financial institutions to move higher-risk functions offshore.

Offshoring Risks

Domestic outsourcing and offshoring share most risk characteristics. However, the more complicated chain of control incurred when offshoring financial services and related data may create new risks when compared to domestic outsourcing. Offshoring also introduces an element of country risk to the outsourcing process. In particular, geographic distance from the function and timing lags in reporting heighten the potential risk exposures. Significant offshoring risk areas include:

Privacy Concerns

Raised by Offshoring Few legal restrictions exist on financial service companies sending customer data to foreign countries. Financial institution customers may not opt out of these information transfers to nonaffiliated service providers if the transfer is for a purpose described in section 502(e) of the Gramm-Leach-Bliley Act (GLBA). For example, the opportunity to opt out does not apply where the information transfer is to: (1) service or process a financial product or service that the customer requested or authorized; or (2) maintain or service the customer's account.

However, GLBA does provide important protections that cover both domestic and offshore outsourcing. GLBA establishes affirmative and continuing obligations for financial institutions to respect customer privacy and protect customer personal information against reasonably foreseeable internal or external threats to its security, confidentiality, and integrity. The Federal Banking Agencies have extended these obligations to include the monitoring of the activities of those service providers to which financial institutions transfer customer information.

Privacy risks vary by job type. For instance, relatively lower-risk activities include computer source-coding or application development and maintenance, whereas higher-risk activities include any function using personal data, such as call centers or transaction processing. At present, financial institutions are primarily offshoring low-risk IT work in addition to higher-risk, customer data-base type work, including mortgage servicing and customer-assistance/help-desk services.

Recommendations Arising from this Study

1 Steve Cocheo, "Global Think? Or Job Shrink?" ABA Banking Journal, May 2004.
2 1996 FFIEC IS Examination Handbook.