May 15, 2002
OCC Issues Risk Management Guidance for Banks that Use Foreign-Based Third-Party Service Providers
WASHINGTON — The Office of the Comptroller of the Currency today issued guidance to national banks that use third-party service providers based in foreign countries.
The OCC recognizes that, although national banks generally use domestic third-party service providers, the increasing globalization and cross-border linkages of the financial services industry may lead some banks to establish outsourcing relationships with foreign-based service providers for processing information and transactions on behalf of both domestic and international customers. The use of foreign-based third-party service providers is generally permissible and may be a cost-effective way for some national banks to address their information and transaction processing needs.
Today's guidance outlines risk management principles to facilitate sound use of foreign-based providers and to ensure that national banks manage these relationships in a safe and sound manner. It also addresses the need for a national bank to establish such relationships in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank's operations.
The board of directors and senior management are responsible for understanding the special risks associated with the bank's outsourcing relationships with foreign-based service providers and ensuring that effective risk management practices are in place. A first step is a risk assessment and due diligence process undertaken before a national bank enters into a contract with a foreign-based service provider. Without an effective risk assessment process, outsourcing to foreign-based service providers may be inconsistent with the bank's strategic plans, may introduce unforeseen risks that are difficult to manage, or may be too costly.
A foreign-based service provider also exposes a national bank to country risk, which takes into account the possibility that economic, social and political conditions and events in a foreign country might adversely affect the bank's interests. Country risk assessment requires close monitoring of political, social, economic and legal conditions in the foreign country. Contingency plans and exit strategies also should be part of the assessment.
Due diligence should cover the special compliance risks that may be presented by foreign-based service providers. The use of a foreign service provider must not inhibit a national bank's ability to comply with all U.S. laws and regulations. For example, customer privacy and the confidentiality of bank records should be addressed in contracts with a foreign service provider in a way that takes into account U.S. law and the legal and regulatory requirements of a foreign country.
Contracts with foreign-based service providers also present special considerations. For example, national banks should consider the resolution of disputes when entering contracts with foreign service providers. Choice of law and jurisdictional covenants should be included in contracts to help assure continuity of service, data access and protection of nonpublic customer information. Moreover, a bank's due diligence process also should contain a legal review on the enforceability of all aspects of a contract with a foreign service provider.
Finally, national banks must ensure that critical data or other information related to services provided by a foreign-based third-party service provider be readily available at the bank's U.S. office(s). Additionally, a national bank's use of a foreign-based third-party service provider and the location of critical data and processes outside U.S. territory must not compromise the OCC's ability to examine the bank's operations.
Today's guidance supplements OCC Bulletin 2001-47 (November 1, 2001) on risk management of third party service providers in general. Many of the same risk management measures outlined in today's guidance, such as due diligence, contract oversight and risk assessment were contained in the November 2001 Bulletin. However, today's guidance addresses the special risks presented by foreign-based service providers.