The FDIC has issued a new Financial Institution Letter (FIL) FIL-19-2019 . This FIL discusses examiner observations about gaps in financial institutions’ contracts with technology service providers that may require financial institutions to take additional steps to mitigate risks and manage their own business continuity and incident response.
In recent FDIC examinations, they noted the institution’s contracts with technology service providers lacked detail regarding the rights and responsibilities for business continuity and incident response. They noted some contracts did not require the provider to maintain business continuity plans or recovery standards or define the remedies if the provider doesn’t meet the recovery standards. Some did not identify the provider’s responsibility to notify the financial institution, regulators, or law enforcement.
The FDIC and other regulators will want to see that you have performed your due diligence, both before signing and during the contract term, to ensure that the provider has business continuity and incident response plans. Financial institutions should ensure their contracts give them rights to see the plans, and/or see any testing completed on the plans. If the service provider will not provide them, or they do not meet your standards, then you must mitigate your risk either through looking at different vendors or putting other controls in place to offset their shortcomings.
The FDIC also reminds depository institutions of their responsibility to notify their federal banking regulator of contracts or relationships with technology service providers that provide certain services. These providers include check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, Internet banking, or mobile banking services. This is required by Section 7 of the Bank Service Company Act (12 USC 1867). You should check with your regulator for help with how they recommend you comply with the notification requirements.
As always, please contact ABS if we can help you identify potential vendors or provide assistance with your vendor due diligence for your current vendors