Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Offshore Vendor Due Diligence

    This message was posted by a user wishing to remain anonymous
    Posted 12-30-2022 04:57 PM
    This message was posted by a user wishing to remain anonymous

    Good afternoon.  We are a financial institution and I am curious what others are doing in regards to due diligence when a Service Provider notates that they use an Offshore Vendor.  We currently ask where the offshore vendor is located, what services to do they supply to the Service Provider and will they have access/process/store our companies' information or our consumers information.
    • Do you allow your Service Providers to use Offshore Vendors?
    • What other questions might we ask?

    We do have contractual language that makes the Service Provider still responsible for the services, as if they were the ones providing the service.  As we all know, it would be hard to go after the Offshore Vendor themselves.

    Thank you for any feedback and hope you all have a happy New Year.


  • 2.  RE: Offshore Vendor Due Diligence

    Posted 01-04-2023 10:34 AM
    In my experience, for most vendor relationships you might want to control who that vendor uses as subcontractors and where those services are performed but you often lack the ability (negotiating strength) to require that level of involvement.  I look at relationships case by case, if the services are important enough and the risk sufficient and I think we have a chance based on the nature of the relationship to require, I'll look to insert a contractual requirement. 

    For the majority of relationships however, I personally don't usually require subservice providers be located in the US.  I think focusing on the due diligence and understanding very clearly how any NPPI or PHI is handled and secured is more effective and gives our partners the ability to find creative and cost efficient solutions.  In contracting I would focus on due diligence requirements and ensuring that any subcontractors meet appropriate due diligence in the selection process as well as on an ongoing basis.  If you decide to go the route of requiring all services being handled within the US or another specific jurisdiction(s) I would include that in your RPF, you don't want to get too far down the road with a vendor to discover that they have offshored some services and therefore don't meet your requirements.

    There is another thread on offshore service providers that includes some more specifics on this topic.

    Shelly

    ------------------------------
    Shelly Chase
    AVP Operational Risk
    ------------------------------