Appendix C: Foreign-Based Third-Party Service Providers
The material provided in this appendix focuses on foreign-based third-party service providers and should be used, in addition to all other material in this booklet, when examining such relationships. This appendix discusses the primary risks that may arise from service relationships between financial institutions and foreign-based third-partiesThe terms "foreign-based third-party service providers" or "foreign-based service provider" refer to any entity, including an affiliated organization or holding company, whose servicing operations are located in and subject to the laws of any country other than the United States, including service providers located outside the United States providing services to foreign branches of U.S. organizations. The term also includes the foreign opera-tions, whether by subcontract or otherwise, of a domestic service provider.,the steps institutions should consider when managing those risks, and the implications of the relationships within the context of the examination process.
Organizations often use domestic third-party service providers as an economic alternative to internal technology and data processing functions. Increasingly, these organizations are considering arrangements with foreign-based third parties or domestic firms that subcontract portions of their operations to foreign-based entities.
The use of foreign-based service providers is a common business practice that can be a less costly alternative to self-processing or to using domestic service providers. However, this practice raises country, compliance, contractual, reputation, operational (e.g., transactional), and strategic issues in addition to those presented by use of a domestic service provider. In managing these issues, management should conduct appropriate risk assessments and due diligence procedures and closely evaluate all contracts. Additionally, management should establish ongoing monitoring and oversight procedures.
A financial institution's senior managers are responsible for understanding the risks associated with foreign-based relationships and for ensuring that effective risk management practices are in place. Management should determine if a foreign-based technology relationship is consistent with the organization's overall business and technology strategies and if it can mitigate identified risks adequately. Before management executes a contract with foreign-based entities, it should consider issues such as choice-of-law and jurisdictional considerations. Additionally, organizations should establish appropriate due diligence and risk management policies that include oversight and monitoring procedures. These policies and procedures should consider that all of the risks associated with domestic third party providers are present in foreign-based arrangements in addition to the unique issues such as country and compliance risks arising from the fact that the third parties may not fall under the jurisdiction of domestic laws and regulations.
Country risk is an exposure to economic, social, and political conditions in a foreign country that could adversely affect a vendor's ability to meet its service level requirements. In certain situations, country risks could result in the loss of an organization's data, research, or development efforts. Managing country risk requires organizations to gather and assess information regarding foreign political, social, and economic conditions and events, and to address the exposures introduced by the relationship with a foreign-based provider. Risk management procedures should include the establishment of contingency, service continuity, and exit strategies in the event of unexpected disruptions in service.
Compliance risk involves the impact foreign-based arrangements could have on an organization's compliance with applicable U.S. and foreign laws and regulations. An organization's use of a foreign-based third party service provider should not inhibit the organization's compliance with applicable U.S. laws including consumer protection, privacy (Section 501(b) of GLBA)15 USC 6801. Gramm-Leach-Bliley Act, Section 501(b)., and information security laws as well as Bank Secrecy Act requirementsIn this regard, organizations using foreign-based service providers should be aware of Section 319 of the USA Patriot Act, Pub. L. No. 107-56 (Oct. 26, 2001), which requires a financial institution to make information on anti-money laundering compliance by the institution or its customers available within 120 hours of a government request. concerning the reporting and documentation of financial transactions. Additionally, organizations should consider the impact and operational requirements of foreign data privacy laws or regulatory requirementsOrganizations should identify and understand the application of any laws within a foreign jurisdiction that apply to information transferred from the United States to that foreign jurisdiction over the Internet or otherwise to information transferred from that jurisdiction to the United States, as well as to information collected within the foreign jurisdiction using automated or other equipment in that jurisdiction..Organizations engaging foreign-based entities should also consider the sanctions and embargo provisionsThe Office of Foreign Assets Control of the U.S. Department of the Treasury administers and enforces economic and trade sanctions against certain foreign countries, organizations sponsoring terrorism, and international narcotics traffickers based on U.S. foreign policy and national security goals. For more information, refer to the OFAC Web site at www.treas.gov/ofac. of the U.S. Treasury Office of Foreign Assets Control (OFAC) as well as the requirements regarding exportation of encryption-related technologies discussed in the following paragraph.
The United States has export control laws that restrict the export of software and other items (U.S. Export Administration Regulations).Export controls on commercial encryption products are administered by the Bureau of Industry and Security, part of the Department of Commerce. Organizations may be exporters if they provide encryption software to a foreign-based service provider, but some exceptions are available that apply to foreign national employees, in-cluding contractors and consultants, of U.S. companies and their subsidiaries inside and outside the United States. Export administration regulations regarding encryption are contained in 15 CFR §§ 740.13, 740.17 & 742.15. See www.bis.doc.gov. These laws apply to all aspects of encryption usage, including but not limited to, software, hardware, and network applications. Organizations should ensure they and their service provider(s) comply with these laws. Contracts should include a representation and warranty that service providers will comply with U.S. export control laws.
Management of an organization considering a foreign-based outsourcing arrangement should perform appropriate due diligence similar to domestic outsourcing arrangements before selecting or contracting with a service provider. The process should include an evaluation of a firm's financial stability and commitment to service, and the potential impact of the foreign jurisdiction's regulations, laws, accounting standards, and business practices. Additionally, management should consider the degree to which geographic distance, language, or social, economic, or political changes may affect the foreign-based service provider's ability to meet the organization's servicing needs. Management should consider the cost and logistical implications of managing a cross-border relationship, including the ongoing costs of managing and monitoring cross-border and foreign-based provider relationships.
Contracts between an organization and a foreign-based entity should address the risks identified during risk assessments and due diligence processes. Specific topics that should be considered regarding such contracts are discussed in the following paragraphs.
Security, Confidentiality and Ownership of Data
Management should require contract provisions to protect its customers' privacy and the confidentiality of organizational records in conformance with U.S. laws and regulations. Federal regulations require that service provider contracts include provisions requiring the service provider to implement procedures and security measures that meet the objectives of customer information security guidelines.12 CFR part 364, Appendix B, III.D.2 - Banks and 12 CFR part 570, Appendix B, III (d)(2 )- Thrifts. Additionally, contracts should include provisions prohibiting the disclosure of any customer information to nonaffiliated third parties, other than as permitted under U.S. privacy laws.12 CFR part 332 - Banks and 12 CFR part 573 - Thrifts.
Any agreement with a foreign-based service provider should also include a provision that all information transferred to the foreign-based entity remains the property of the organization, regardless of how it is processed, stored, copied, or reproduced.
Arrangements with foreign-based service providers should contain a provision acknowledging the authority of U.S. regulatory authoritiesThe term "U.S. regulatory authorities" means the FFIEC member agencies issuing this booklet. (pursuant to the Bank Service Company Act or the Home Owner's Loan Act) to examine the services performed by the provider.12 USC 1867(c)(1) - Banks and 12 USC 1464(d)(7)- Thrifts. In addition, organizations should notify their primary regulatory authority of a service relationship with a foreign-based service provider in accordance with regulations and guidance issued by that regulator. Financial institutions must not share U.S. regulatory examination reports or information contained therein with either foreign regulators or foreign-based service providers without the express written approval of the appropriate U.S. regulatory authority.
Choice Of Law
Before entering into an agreement or contract with a foreign-based vendor or developer, an organization should carefully consider which country's law it wishes to control the relationship. Based on that review, organizations should include choice of law and jurisdictional covenants that provide for the resolution of disputes between the parties under the laws of a specific jurisdiction.
These provisions are necessary to maintain continuity of service, access to data, and protection of customer information. For these reasons, it can be particularly important when dealing with foreign service providers to specify exactly which country's laws will control the contractual relationship between the parties. Additionally, contract provisions may be subject to foreign-court interpretations of local laws. The laws of the foreign country may not recognize choice of law provisions and may differ from U.S. law regarding what they require of organizations or how they protect bank customers. Thus, an organization's due diligence should include analysis of a country's local laws by legal counsel competent in assessing the enforceability of all aspects of a contract.
MONITORING AND OVERSIGHT
Monitoring foreign entities requires the same steps as monitoring domestic servicers and vendors in addition to the recommendations presented within this appendix. When organizations establish a servicing arrangement with a foreign-based service provider, management should monitor both the entity and the conditions within the foreign country.
The organization should determine that the foreign-based service provider maintains adequate physical and data security controls, transaction procedures, business resumption and IT contingency arrangements (including periodic testing), insurance coverage, and compliance with applicable laws and regulations. Further, where indicated by the organization's security risk assessment, the organization must monitor its foreign-based service providers to confirm that they have satisfied security obligations imposed in the contract to comply with Section 501(b) of GLBA.
Organizations also should monitor economic and governmental conditions within the foreign country to determine whether changes are likely to affect the ability of the service provider to perform under the arrangement.
REGULATORY AGENCY ACCESS TO INFORMATION
U.S. regulatory authorities must have the ability to examine the services performed by an organization's third-party service provider regardless of whether it is foreign or domestically based. Organizations must maintain, in the files of a U.S. office, appropriate English language documentation to support all arrangements with service providers. Appropriate documentation typically includes a copy of the contract establishing the arrangement, supporting legal opinions, due diligence reports, audits, financial statements, performance reports, and other critical information.In instances where the financial institution's foreign branches have outsourced local operations or services cross-border to third-party service providers domiciled in another foreign country, copies of such records can be maintained at the foreign branch office, but must also be available in the U.S. In addition, the organization should have an appropriate contingency plan to ensure continued access to critical information, to maintain service continuity, and the resumption of business functions in the event of unexpected disruptions or restrictions in service resulting from transaction, financial, or country risk developments.
U.S. regulatory authorities may examine the services performed for an organization under an outsourcing arrangement with a foreign-based service provider. Likewise, in the case of a foreign-regulated entity, U.S. regulatory authorities may be able to obtain information through the appropriate supervisory agency in the service provider's home country.
With respect to the outsourcing organization in such arrangements, U.S. regulatory authorities will focus reviews on the adequacy of an organization's due diligence efforts, its risk assessments, and the steps taken to manage those risks including the effect of the arrangement upon the organization's compliance with applicable laws and its access to critical information. Regulatory reviews will assess the organization's contract provisions and its ongoing monitoring or oversight program, including any internal and external audits arranged by the foreign-based service provider or the organization.
An organization's use of a foreign-based third-party service provider (and the location of critical data and processes outside of U.S. territory) must not compromise the ability of U.S. regulatory authorities to effectively examine the organization. Thus, organizations should not establish servicing arrangements with entities where local laws or regulations would interfere with U.S. regulatory agencies' full and complete access to data or other relevant information. Any analysis of foreign laws obtained from counsel should include a discussion regarding regulatory access to information for supervisory purposes.
Appendix B: Laws, Regulations, and Guidance
Appendix D: Managed Security Service Providers