Risk Assessments

 View Only
  • 1.  Foreign Contractors

    Posted 03-17-2022 09:53 AM
    In a recent discussion about Enterprise Risk Management a question was asked of us about how we identify Foreign Contractors. For our Critical and High Risk Vendors, how many have Foreign Contractors? Has anyone else run across this?
    I would love your feedback as to the definition of "foreign contractors'.


  • 2.  RE: Foreign Contractors

    This message was posted by a user wishing to remain anonymous
    Posted 03-17-2022 10:17 AM
    This message was posted by a user wishing to remain anonymous

    This is a great question.  

    FFIEC IT Examination Handbook InfoBase Appendix C: Foreign-Based Third-Party Service Providers states that the terms "foreign-based third-party service providers" or "foreign-based service provider" refer to any entity, including an affiliated organization or holding company, whose servicing operations are located in and subject to the laws of any country other than the United States, including service providers located outside the United States providing services to foreign branches of U.S. organizations. The term also includes the foreign operations, whether by subcontract or otherwise, of a domestic service provider.

    The company I work for has interpreted this as follows: 

    "The term "Foreign Provider" means any TPP that is formed or domiciled outside of the United States including its states and territories ("USA") or where the services provided are from offices outside the USA. Where the TPP is organized in the USA (e.g., incorporated in any state or territory) even though owned by a foreign organization, the TPP is not considered a Foreign Provider for this policy unless material portions of the services provided are from offices outside the USA."

    Where we identify the possibility of material portions of services performed outside the USA, we strive to strict the contracted services to domestic only.  Where we are unable to do so, foreign providers have additional assessment requirements and require board approval.  

    I hope you find this beneficial. 




  • 3.  RE: Foreign Contractors

    Posted 03-17-2022 11:21 AM
    That is extremely helpful- thank you so much for sharing.  It definitely fleshes out what I have been doing internally in terms of identifying foreign based third parties.

    The only piece I would add is thinking about contracting.  We have very strict requirements in place for contracting with a foreign based third party to ensure that we can mitigate any risks that might arise from jurisdictional conflict- want to ensure that the contract specifies applicable laws and venue that govern the relationship.

    Shelly

    ------------------------------
    Shelly Chase
    AVP Operational Risk
    ------------------------------