Financial Services Industry Outsourcing and Enforcement of Privacy Laws Page: 4 of 6
The following text was automatically extracted from the image on this page using optical character recognition software:
third-party relationships or on outsourcing, particularly outsourcing technology.l1
Generally, these guidelines require adequate due diligence and risk management
assessment, as well as contractual provisions, to assure that service providers are capable
of, take steps to, and actually implement safeguards to protect customer information.16
Examiners of depository institutions are required to evaluate the measures taken by the
institutions to oversee service providers."7
Is A Financial Institution Liable for Breaches of Security by Service
Providers? Any financial institution that is subject to a state or federal statutory duty
of maintaining confidentiality of customer information may not avoid that responsibility
by contracting out or otherwise shifting the operation to another entity. Not only does
GLBA18 require that any contractual or joint venture agreement with a third-party service
provider cover the confidentiality of nonpublic personal customer information, but the
actions of the contractor will be attributed to the financial institution under the law of
What Regulatory Tools Are Available To Monitor Service Providers?
There is a range of regulatory, criminal, and private enforcement options available
depending upon the particular situation. All third-party service providers of federally
regulated depository institutions may be examined by the appropriate federal banking
agencies,19 even in foreign countries.20 Federal regulators may police privacy
5 Id. The FFIEC Website assembles some of the guidelines applicable to depository institutions
by regulatory agency.
16 See, e.g., FRB, SR 00-4(SUP), "Outsourcing of Information and Transaction Processing" (Feb.
29, 2000). Among other things, such contracts must provide for compliance with regulatory
requirements and for access by federal regulators. OCC Bulletin OCC 2002-16 (May 15, 2002),
addresses "Bank Use of Foreign-Based Third-Party Service Providers." It requires that the
contract "state that all information shared by the bank with a foreign-based third-party service
provider, regardless of how the service provider processes, stores, copies, or otherwise
reproduces it, remains solely the property of the bank." Id., at 4. It provides that "[a] bank's use
of a foreign-based service provider must not inhibit its ability to comply with all applicable U.S.
law and regulations. These include requirements concerning accessibility and retention of
records ... and other U.S. consumer protection laws and regulations." Id., at 3. The guidance
suggests contract provisions protecting customer privacy and requires a provision authorizing
OCC examination of the third-party service provider. It also mandates provisions prohibiting the
redisclosure of bank data or information, compliance with OCC privacy regulations, and
implementation of security measures to maintain confidentiality.
" "Examination Procedures to Evaluate Compliance With the Guidelines to Safeguard Customer
18 15 U.S.C. 6802(2).
19 12 U.S.C. 1867(c).
20 OTS requires 30-day advance notice from thrifts contemplating third-party service
arrangements with foreign service providers and requires them to include in any contract a
provision that the services are subject to OTS examination. Thrift Bulletin TB 82, at 5 (March
18,2003). The OCC guidance has a similar requirement. OCC Bulletin OCC 2002-16, at 5-7.
It states that "a national bank should not outsource any of its information or transaction
processing to third-party service providers that are located in jurisdictions where the OCC's full
and complete access to data or other information may be impeded by legal, regulatory, or
Here’s what’s next.
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Report.
Financial Services Industry Outsourcing and Enforcement of Privacy Laws, report, June 9, 2004; Washington D.C.. (https://digital.library.unt.edu/ark:/67531/metadc815780/m1/4/: accessed May 21, 2019), University of North Texas Libraries, Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.