The Federal Deposit Insurance Corporation (FDIC) just reiterated its guidance on managing risks in technology service provider (TSP) relationships in a new Financial Institution Letter (FIL). The letter reminds financial institutions to be diligent in the negotiation and documentation of these critical relationships. Here’s what you need to know.
What happened
Financial institutions often contract with TSPs for services to the institution and its customers, the FDIC explained, frequently integrating the systems and processes of the service provider and the financial institution. “This integration can impact how financial institutions manage their own processes such as business continuity and incident response,” the FDIC said.
Back in 2012, the interagency Federal Financial Institutions Examinations Council (FFIEC) issued its examination handbook on supervision of TSPs. The prudential regulators, including the FDIC, have statutory authority to supervise third-party servicers that enter into contractual arrangements with their regulated financial institutions.
FIL-19-2019, which supplements this and other earlier guidance on the topic, resulted from perceived gaps in contracts between financial institutions and TSPs that were revealed in examinations, prompting the agency to reinforce the steps that banks should take with their service providers.
Boards of directors and senior management are responsible for managing the risks related to relationships with technology service providers, and “effective contracts are a strong risk management tool,” the agency said.
However, despite long-standing FDIC guidance on managing risks from third-party service providers, the agency’s examiners found that financial institution contracts with TSPs often lack sufficient details regarding the rights and responsibilities of each party.
For example, some contracts do not establish recovery standards or define contractual remedies if the TSP misses a recovery standard; other contracts lack sufficient detail about the provider’s incident responsibilities such as notifying the financial institution, regulators or law enforcement.
Other problems include the lack of clearly defined key terms in contractual provisions relating to business continuity and incident response, the FDIC said, which can contribute to ambiguity in responsibilities and increase the risk that security incidents will impair financial institution operations or compromise customer information.
To remedy such problems, the FDIC advised financial institutions “to ensure that business continuity and incident response risks are adequately addressed in service provider contracts.” Long-term contracts and contracts that automatically renew may be at higher risk for coverage gaps, the regulator cautioned.
“When contracts leave gaps in business continuity and incident response, it is prudent for the financial institution to assess any resultant risks and implement compensating controls to mitigate them,” the FDIC explained. “For example, a financial institution may obtain supplementary business continuity documentation from the service provider, or modify the financial institution’s own business continuity plan to address contractual uncertainties.”
In FIL-19-2019, the FDIC refers banks both to the 2012 FFIEC handbook and the additional information pertaining to third-party outsourcing risk that is contained in FIL-44-2008, Guidance for Managing Third-Party Risk. The 2008 FIL urged financial institutions to perform risk assessments and adequate due diligence, have strong contract provisions and engage in ongoing monitoring.
The FDIC also reminded financial institutions that Section 7 of the Bank Service Company Act requires depository institutions to notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services (such as check and deposit sorting and posting, Internet banking or mobile banking services).
Why it matters
While the 2012 FFIEC handbook remains a core desk reference for supervision of TSPs, FIL-19-2019 provides an important reminder to financial institutions that the FDIC and other prudential regulators examine banks for compliance with the regulator’s own guidance on third-party risk and look carefully at agreements with technology service providers. This includes, of course, the Office of the Comptroller of the Currency, whose generic service provider guidance (found in OCC Bulletins 2013-29 and 2017-21 remains a key starting point to any vendor management compliance efforts.
The FDIC’s new guidance makes clear, yet again, that where appropriate diligence is lacking or where contracts with TSPs are deficient, banks (and, specifically, boards of directors and senior management) remain responsible and are expected to properly assess the risks and implement appropriate mitigation controls. In light of the new FIL, now would be a good time for financial institutions to review their procedures and contracts for any of the problems highlighted by the FDIC and to make changes where necessary.