This message was posted by a user wishing to remain anonymous
This is a great question.
FFIEC IT Examination Handbook InfoBase Appendix C: Foreign-Based Third-Party Service Providers states that the terms "foreign-based third-party service providers" or "foreign-based service provider" refer to any entity, including an affiliated organization or holding company, whose servicing operations are located in and subject to the laws of any country other than the United States, including service providers located outside the United States providing services to foreign branches of U.S. organizations. The term also includes the foreign operations, whether by subcontract or otherwise, of a domestic service provider.
The company I work for has interpreted this as follows:
"The term "Foreign Provider" means any TPP that is formed or domiciled outside of the United States including its states and territories ("USA") or where the services provided are from offices outside the USA. Where the TPP is organized in the USA (e.g., incorporated in any state or territory) even though owned by a foreign organization, the TPP is not considered a Foreign Provider for this policy unless material portions of the services provided are from offices outside the USA."
Where we identify the possibility of material portions of services performed outside the USA, we strive to strict the contracted services to domestic only. Where we are unable to do so, foreign providers have additional assessment requirements and require board approval.
I hope you find this beneficial.
Original Message:
Sent: 03-17-2022 09:52 AM
From: Margaret Lawhorne
Subject: Foreign Contractors
In a recent discussion about Enterprise Risk Management a question was asked of us about how we identify Foreign Contractors. For our Critical and High Risk Vendors, how many have Foreign Contractors? Has anyone else run across this?
I would love your feedback as to the definition of "foreign contractors'.