OCC Bulletin 2002-16

The bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank’s operations.

“As with domestic outsourcing arrangements, the board of directors and senior management are responsible for understanding the risks associated with the bank’s outsourcing relationships with foreign-based service providers and ensuring that effective risk management practices are in place.”

“Specifically, before a national bank contracts for the services of a foreign-based service provider, it should properly assess the associated risks and exercise appropriate due diligence, including careful consideration of contract matters and choice of law and forum provisions. Additionally, the bank should have in place sufficient risk management policies, performance monitoring and oversight processes, expertise, and access to critical information to enable it to properly oversee the risks of the outsourcing relationship, including country and compliance risks.”