Tuesday, February 28, 2017

Report reveals banks' need to bolster risk-management practices for technology vendors

By Thomas G. Wolfe, J.D.

The Federal Deposit Insurance Corporation’s Office of Inspector General has issued a report evaluating “Technology Service Provider Contracts with FDIC-Supervised Institutions.” Generally, while the Inspector General commends the FDIC’s efforts during the past two years to provide financial institutions with guidance on “comprehensive business continuity, cybersecurity, and vendor management,” the February 2017 report (Report No. EVAL-17-004) recommends that the FDIC continue to communicate to supervised financial institutions the importance of bolstering risk-management practices in connection with third-party “technology service provider contracts (TSPs).” In underscoring ways in which the FDIC can direct the focus of its supervised financial institutions on TSP provisions and terms, the IG also recommends that the FDIC’s Division of Risk Management study and assess the extent to which the financial institutions have effectively addressed these issues.

In two prior evaluations, the IG determined that “greater scrutiny” of the sufficiency of TSP contracts with FDIC-supervised institutions was warranted. The stated objective of the latest evaluation was to “assess how clearly FDIC-supervised institutions’ contracts with TSPs address the TSP’s responsibilities related to (1) business continuity planning and (2) responding to and reporting on cybersecurity incidents.”

Findings. According to the report, the supervised financial institutions’ contracts with TSPs did not clearly address TSP responsibilities and “lacked specific contract provisions to protect FI interests or preserve FI rights.” Moreover, the IG found that the pertinent contracts “did not sufficiently define key terminology related to business continuity and incident response.” Consequently, the contracts provided financial institutions with “limited information and assurance” that TSPs could “recover and resume critical systems, services, and operations timely and effectively if disrupted” or that TSPs “would take appropriate steps to contain and control incidents and report them timely to appropriate parties.”

Recommendations. The IG’s report recommends that the FDIC’s Division of Risk Management Supervision continue to stress to the supervised financial institutions the importance of: “(1) fully considering and assessing the risks that TSPs present; (2) ensuring that contracts with TSPs include specific detailed provisions that address FI-identified risks and protect FI interests; and (3) clearly defining key contract terms that would be important in understanding FI and TSP rights and responsibilities.” In addition, the report recommends that, “at an appropriate time,” the FDIC division evaluate the supervised financial institutions’ progress on effectively addressing these issues.

FDIC response. According to the report, the FDIC concurred with the IG’s recommendations and agreed to complete its responsive actions by October 2018.

For more information about Inspector General reports about federal financial regulators, subscribe to the Banking and Finance Law Daily.