Deloitte estimates that $356 billion, or 15 percent, of the financial service industry's current cost base is expected to move offshore within the next five years. Further, the range and number of offshored job functions within individual institutions is expected to increase, with the average number growing from two to four functions per institution. In particular, the traditional focus on IT alone, which accounts for 70 percent of current offshore activity, will change to a business-process emphasis. Competitive pressures are the primary motivator for financial institutions to move higher-risk functions offshore.
The banking industry has a list of Offshoring Risks that is in need of greater care and oversight.
Domestic outsourcing and offshoring share most risk characteristics. However, the more complicated chain of control incurred when offshoring financial services and related data may create new risks when compared to domestic outsourcing. Offshoring also introduces an element of country risk to the outsourcing process. In particular, geographic distance from the function and timing lags in reporting heighten the potential risk exposures. Significant offshoring risk areas include:
Country Risk: political, socio-economic, or other factors may amplify any of the traditional outsourcing risks, including those listed below.
Operations/Transaction Risk: weak controls may affect customer privacy.
Compliance Risk: offshore vendors may not have adequate privacy regulations.
Strategic Risk: different country laws may not protect "trade secrets."
Credit Risk: a vendor may not be able to fulfill its contract due to financial losses.
It is currently standard FFIEC examination procedure for examiners to review outsourcing arrangements during examinations. Part of a standardized procedure should include:
- Identifying and reviewing contracts between financial institutions and data service providers that allow for subcontracting or subsequent outsourcing to occur;
- Determining whether subsequent outsourcing has in fact occurred as indicated in the contract or outside the terms of the contract;
- Determining if the financial institution is aware of the subsequent outsourcing and the location of the outsourcing; and
- Determining if the financial institution has procedures for monitoring all outsourcing arrangements to ensure adequate controls are in place or the service provider has proper procedures and controls to monitor their outsourcing arrangements.
We recommend that your CSO, CCO and General counsel revisit your last audit on high risk outsourced relationships such as customer data-base type work, including mortgage servicing and customer-assistance/help-desk services.