What's new

P2.T7.811. The risks that arise from outsourcing to third-party service providers

Nicole Seaman

Chief Admin Officer
Staff member
Learning objectives: Explain how risks can arise through outsourcing activities to third-party service providers, and describe elements of an effective program to manage outsourcing risk. Explain how financial institutions should perform due diligence on third-party service providers. Describe topics and provisions that should be addressed in a contract with a third-party service provider.


811.1. According to the Guidance on Managing Outsourcing Risk (by the Board of Governors of the Federal Reserve System), with respect to a third-party service provider arrangement, the overall due diligence process by a financial institution should at least include a review of each of the following EXCEPT which is not essential?

a. Ensure service provider has an appropriate background check program for its employees
b. Financial review of service provider's most recent annual report and financial statements
c. Evaluate the service provider's performance along environmental, social, and governance (ESG) factors
d. Evaluate the adequacy of standards, policies and procedures including adherence to applicable laws, regulations and supervisory guidance

811.2. Cityace Bank is a financial institution who is outsourcing a vital customer-facing function to a third-party service provider. Cityace wants to follow the Board's Guidance on Managing Outsourcing Risk, and if they do indeed follow the Board's guidance, then each of the following is true EXCEPT which is not true?

a. Cityace should avoid outsourcing risk management activities, especially interest rate risk and model risk because these are core competencies
b. If the service provider is foreign-based, Cityace should ensure the provider is in compliance with applicable U.S. laws, regulations and regulatory guidance.
c. Cityace should ensure an effective process is in place to review and approve any incentive compensation that may be embedded in service provider contracts
d. Cityace should consider especially the following risks in outsourcing: compliance risks, concentration risks, reputational risks, country risks, operational risks and legal risks

811.3. Planetholding International Bank is entering a contract with its third-party service provider, Tristechnology Inc, to outsource the management of its website. Each of the following are likely contract provisions EXCEPT which is unlikely to be a contract provision?

a. Confidentiality and security of information
b. Business resumption and contingency plan
c. Scope of service (including reference to service level agreement and ability to subcontract)
d. Loss waterfall allocation mechanism (including sufficient credit value adjustment for website downtime)

Answers here: