Consumers who call a bank or other financial company for help might not realize their call is being answered by someone who isn't actually an employee of that company. In fact, that is more often than not the case these days as financial companies move to outsource their telephone call centers and other services.
The risks for the companies are significant, according to a new document, "Guidance on Managing Outsourcing Risk," recently published by the Federal Reserve to help banks follow the rules.
The risks include:
- Compliance risks, which occur when an outsourcing company violates U.S. laws and regulations.
- Concentration risks, which arise when outsourcing is concentrated in limited geographic locations.
- Reputation risks, which crop up when a service provider's actions create a negative public opinion of the financial institution.
- Country risks, which involve economic, social and political conditions and events in the country where the service provider is located.
- Operational risks, which occur when a service provider's systems fail or human errors are made.
- Legal risks, which arise when a service provider exposes a financial institution to extraordinary legal costs or consumer lawsuits.
"If not managed effectively, the use of service providers may expose financial institutions to risks that can result in regulatory action, financial loss, litigation and loss of reputation," the report states.
Outsourcing doesn't alleviate the financial companies' responsibilities to be aware of and mitigate risks through risk management programs that include risk assessments, due diligence and care in the selection of service providers, appropriate contract provisions and considerations, review of providers' incentive compensation plans, oversight and monitoring of service providers, and business continuity and contingency plans.
One area of particular concern for consumers should be data privacy. The report says service providers should ensure the security and confidentiality of both the financial institution's confidential information and its customers' information. But financial companies must still implement appropriate measures to make sure activities are properly performed.
"Information security measures for outsourced functions should be viewed as if the activity was being performed by the financial institution and afforded the same protections," the report said. "Service agreements should also address service provider use of financial institution information and its customer information. Information made available to the service provider should be limited to what is needed to provide the contracted services."
Are you concerned about privacy risks of outsourced banking services?
Follow me on Twitter: @marciegeff.