First and foremost I'd be asking what countries they outsource to. There are some pretty obvious definite nos - China, Russia, Cuba, Iran, North Korea, Syria, plus about 15 more the Treasury Department, Commerce Department, and State Department list embargoes against.
I would also affirm their own 3rd party assessment processes to ensure they themselves have performed a high level of Due Diligence on any of their 3rd party vendors/providers. Anything beyond that is where all of this is getting increasingly harder for all of us with 4th parties/Nth parties. Unless you're directly contracted with someone and have "right to audit" or "right to review" called out specifically in your contract with them, no one at that 4th/Nth party level to you has to participate at all in any requests you may have for questions to be answered or documents to be sent to you for review (Business Continuity Plans, Disaster Recovery Plans, any info on how they maintain security procedures and data privacy commitments, whether they access secure data from unsecured locations, etc.).
Another other issue with offshore providers is there really aren't equivalents to a SOC report or ISO/NIST certifications that would be able to give you any assurance either because those are all US-based audits. Our contracts typically state that contracting out at all is not acceptable without prior approval of that 4th party by us. That is ultimately the best practice, however, you have to be prepared that somewhere someone is going to bypass that and you won't even know until you know.
So in summary, best practices are to be sure your contracts include your right to audit and that they cannot outsource any of your work without prior approval, and that you have done deep due diligence on them so you have the utmost confidence they are locking things down on their end to begin with - especially looking for some sort of third-party audit for confirmation whether it's a SOC report, ISO certification, NIST certification or something similar. In the end, if you tell them they need to find someone US-based that you approve of to outsource to, they'll do it if they want your business, even if it's just for your account.
Original Message:
Sent: 12-29-2022 04:50 PM
From: Anonymous Member
Subject: Off Shore Vendors
This message was posted by a user wishing to remain anonymous
We are looking for guidance on what other financial institutions do for due diligence when a Service Provider states they use an offshore vendor for part of their services. What questions do you ask? Do you ask for further due diligence? Do you allow the use of offshore vendors?
Thank you,