Financial Institution Letter
FIL-52-2006
June 21, 2006
FOREIGN-BASED THIRD-PARTY SERVICE PROVIDERS
Guidance on Managing Risks in These Outsourcing Relationships
Summary: The FDIC has prepared the attached guidance to address the risks inherent in outsourcing
relationships between U.S. financial institutions and foreign-based third-party service providers. The guidance
provides steps that institutions should take to successfully manage such risks.
Distribution:
FDIC-Supervised Banks (Commercial and Savings)
Suggested Routing:
Board of Directors
Chief Executive Officer
Executive Officers
Related Topics:
Technology Outsourcing (see FIL-81-2000)
Attachment:
Guidance for Financial Institutions on the Use of
Foreign-Based Third-Party Service Providers
Contact:
Examination Specialist William H. Henley, Jr. at
(202) 898-6513
Note:
FDIC financial institution letters (FILs) may be
accessed from the FDIC's Web site at
www.fdic.gov/news/news/financial/2006/index.html.
To receive FILs electronically, please visit
http://www.fdic.gov/about/subscriptions/fil.html.
Paper copies of FDIC financial institution letters
may be obtained through the FDIC's Public
Information Center (1-877-275-3342 or 703-562-
2200).
Highlights:
• Financial institutions that have outsourcing relationships with
third-party service providers face reputational,
operational/transactional, compliance and strategic risks.
• When the third-party service provider resides or performs
contractual work outside of the United States, an additional
element of risk – “country risk” – is introduced.
• Financial institutions have the opportunity to enter into
contractual arrangements with foreign-based third-party
service providers with increasing frequency to handle such
services as technology and data processing.
• U.S.-based third-party service providers are subcontracting
substantial portions of their work to entities located outside of
the United States. Many financial institutions may be unaware
of these subcontracting arrangements or not adequately
monitoring these relationships.
• Prior to selecting a third-party service provider, financial
institutions should complete thorough due diligence.
• The financial institution’s management should identify any
undisclosed foreign-based subcontracting arrangements prior
to entering into a contract with a foreign-based third-party
service provider.
• Contracts with a third-party service provider should be written
to protect the financial institution’s interests.
• After the contract is signed, management should continually
monitor the condition of the foreign-based third-party service
provider and the country in which it is located.
Federal Deposit Insurance Corporation
550 17th Street NW, Washington, D.C. 20429-9990
FIL-52-2006
June 21, 2006
FOREIGN-BASED THIRD-PARTY SERVICE PROVIDERS
Guidance on Managing Risks in These Outsourcing Relationships
Summary: The FDIC has prepared the attached guidance to address the risks inherent in outsourcing
relationships between U.S. financial institutions and foreign-based third-party service providers. The guidance
provides steps that institutions should take to successfully manage such risks.
Distribution:
FDIC-Supervised Banks (Commercial and Savings)
Suggested Routing:
Board of Directors
Chief Executive Officer
Executive Officers
Related Topics:
Technology Outsourcing (see FIL-81-2000)
Attachment:
Guidance for Financial Institutions on the Use of
Foreign-Based Third-Party Service Providers
Contact:
Examination Specialist William H. Henley, Jr. at
(202) 898-6513
Note:
FDIC financial institution letters (FILs) may be
accessed from the FDIC's Web site at
www.fdic.gov/news/news/financial/2006/index.html.
To receive FILs electronically, please visit
http://www.fdic.gov/about/subscriptions/fil.html.
Paper copies of FDIC financial institution letters
may be obtained through the FDIC's Public
Information Center (1-877-275-3342 or 703-562-
2200).
Highlights:
• Financial institutions that have outsourcing relationships with
third-party service providers face reputational,
operational/transactional, compliance and strategic risks.
• When the third-party service provider resides or performs
contractual work outside of the United States, an additional
element of risk – “country risk” – is introduced.
• Financial institutions have the opportunity to enter into
contractual arrangements with foreign-based third-party
service providers with increasing frequency to handle such
services as technology and data processing.
• U.S.-based third-party service providers are subcontracting
substantial portions of their work to entities located outside of
the United States. Many financial institutions may be unaware
of these subcontracting arrangements or not adequately
monitoring these relationships.
• Prior to selecting a third-party service provider, financial
institutions should complete thorough due diligence.
• The financial institution’s management should identify any
undisclosed foreign-based subcontracting arrangements prior
to entering into a contract with a foreign-based third-party
service provider.
• Contracts with a third-party service provider should be written
to protect the financial institution’s interests.
• After the contract is signed, management should continually
monitor the condition of the foreign-based third-party service
provider and the country in which it is located.
Federal Deposit Insurance Corporation
550 17th Street NW, Washington, D.C. 20429-9990