Foreign-Based Third-Party Service Providers Guidance on Managing Risks in These Outsourcing Relationships
June 21, 2006
The FDIC has prepared the attached guidance to address the risks inherent in outsourcing relationships between U.S. financial institutions and foreign-based third-party service providers. The guidance provides steps that institutions should take to successfully manage such risks.
Financial institutions that have outsourcing relationships with third-party service providers face reputational, operational/transactional, compliance and strategic risks.
When the third-party
service provider resides or performs contractual work outside of the
States, an additional element of risk – "country risk" – is introduced.
Financial institutions have the opportunity to enter into contractual arrangements with foreign-based third-party service providers with increasing frequency to handle such services as technology and data processing.
U.S.-based third-party service providers are subcontracting substantial portions of their work to entities located outside of the United States. Many financial institutions may be unaware of these subcontracting arrangements or not adequately monitoring these relationships.
Prior to selecting a third-party service provider, financial institutions should complete thorough due diligence.
The financial institution's
management should identify any undisclosed foreign-based
subcontracting arrangements prior to entering into a contract with a
third-party service provider.
Contracts with a
third-party service provider should be written to protect the financial
After the contract is signed, management should continually monitor the condition of the foreign-based third-party service provider and the country in which it is located.
FDIC-Supervised Banks (Commercial and Savings)
Board of Directors
Chief Executive Officer
Technology Outsourcing (see FIL-81-2000)