Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks
Appendix C—Outsourcing/Offshoring Risks
The following is a summary of risks that are related to the issue of outsourcing. It should be noted that of the eight risk types identified below, only the first one, country risk uniquely pertains to outsourced work to another country. All the rest pertain equally to any outsourced work whether the work is performed domestically or not.12
Assets might be confiscated by one or more governments.
Confiscatory tax rates or assessments could be imposed.
Employee risk-related issues.
Background checks, etc.
Risks to earnings or capital could arise from negative public opinion.
Arises from poor service, disruption of service, or violations of consumer law.
Occurs when third-party interaction with bank customers is not consistent with the bank's policies or standards.
Occurs when there is negative publicity about adverse events involving the bank.
Risks to earnings or capital arise from problems with service or product delivery. The lack of an effective business resumption plan and appropriate contingency plans increase transaction risk.
Occurs when products, services, delivery channels, and processes do not fit with the bank's systems, customer demands, or strategic objectives.
Weak control over technology used in the third-party arrangement may result in threats to security and the integrity of systems and resources.
Can be the result of fraud or error by the third party.
Arises from inadequate capacity, technology failure, or lack of effective business resumption and contingency planning by the third party.
Possible risks include liquidity, interest rate, price, and foreign currency transaction risk.
Loss of trade secrets is possible when an outsource company also does work with competitors.
Risk to earnings or capital arises from violations of laws or regulations or nonconformance with internal policies or ethical standards. This risk exists when the activities of a third party are not consistent with law, policies, or ethical standards of the financial institution and the financial institution's country. This risk is exacerbated by an inadequate oversight and audit function.
Offshore vendors do not have the same privacy regulations as those that exist in the United States.
Can be due to improper review of products, services, or systems with respect to consumer law or other regulatory compliance matters.
Can occur if the bank's oversight program fails to include appropriate audit and control features.
Can occur if the vendor fails to adequately protect the privacy of nonpublic customer information.
This is a risk to earnings or capital arising from adverse business decisions or improper implementation. The financial institution is also exposed to strategic risk when it uses a third party to perform banking functions or to offer products or services that do not help the financial institution achieve corporate strategic goals and provide an adequate return on investment.
Occurs when banking functions or products or services are offered that are not compatible with the bank's strategic goals.
Can occur when third-party relationships are used without fully performing due diligence reviews.
Can occur when risk management's scope or depth is not commensurate with the activity.
Can occur when the bank does not possess the adequate expertise to oversee the third party.
Financial institutions face the potential for loss of trade secrets if poor controls exist when a vendor performs work for competitors in the same outsource location.
This is a risk to earnings or capital that arise from the obligor's failure to meet the terms of any contract with the bank or to otherwise perform as agreed. The basic form of credit risk involves the financial condition of the third party itself. Appropriate monitoring of the activity of the third party is necessary to ensure that credit risk is understood and remains within board-approved limits.
Receivables quality declines as the third party performs inadequate account management, customer service, or collection activity.
Can occur when there is improper oversight of third parties who solicit and refer customers, conduct underwriting analysis, or set up other credit-related product programs.
Can occur when there is inadequate financial capacity by a third party to fulfill its contract with the bank.
Infrastructure (fragile, technical infrastructures that may be inordinately susceptible to physical disruptions).