Recent FDIC examinations have revealed major contractual deficiencies in several banks’ contracts with technology service providers, the agency said on April 2. Often, these contracts are the most significant relationships and the largest financial contracts for smaller regional and community banks. In addition, these technology vendors often serve as the main point of contact between a bank and its customers, so a well-drafted contract is critical for the reputation of the bank.
As a result, the FDIC issued a financial institutions letter to highlight gaps discovered in banks’ contracts with technology service providers. The FDIC’s main concern stems from the fact that several banks failed to contract for clear rights and responsibilities regarding business continuity and incident response. The FDIC specifically notes that contracts with technology service providers should:
- Require the service provider to maintain a business continuity plan
- Establish recovery standards
- Define contractual remedies in the event that a technology service provider misses a recovery standard
- Detail the technology service provider’s security incident responsibilities (such as to notify the bank, regulators, or law enforcement)
- Define key terms relating to business continuity and incident response in order to avoid ambiguity in bank rights and service provider responsibilities
This is not a new initiative or focus of the FDIC or other financial regulators. In fact, the federal banking regulators, through the Federal Financial Institutions Examination Council, previously issued a Business Continuity Planning Booklet specifically dedicated to assisting financial institutions with the implementation and management of their business continuity processes.
The booklet, together with this latest FDIC letter, reaffirm the longstanding regulatory notion that a financial institution cannot discharge its responsibilities, which includes managing its business continuity and incident response processes, by outsourcing activities to third-party service providers. Thus, banks, as part of their due diligence and ongoing monitoring, must ensure that business continuity and incident response risks are adequately addressed in service provider contracts. Adding the contractual provisions noted above forces financial intuitions to identify and mitigate some of the inherent risks related to technology service provider contracts.
The FDIC letter also references prior sources of guidance that the industry may use to identify the regulatory expectations, including:
- Interagency Guidelines Establishing Information Security Standards (promulgated pursuant to the Gramm-Leach-Bliley Act to establish standards for safeguarding customer information)
- The FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008)
- The FFIEC IT Outsourcing Technology Services Booklet
- The FFIEC IT Information Security Booklet
- The Technical Assistance Video on Outsourcing Technology Services (FIL-19-2016)
- The Bank Technology Bulletin on Outsourcing (FIL-50-2001)
- The Bank Service Company Act (FIL-49-99)
The FDIC’s letter serves as a reminder to the industry that federal banking regulators will continue to scrutinize relationships with technology service providers. Even with the increased compliance burdens noted above, the latest fintech wave within the industry has proved that financial institutions find it worthwhile to enter into partnerships with technology service providers. Banks participating in this fintech wave should, at a minimum, establish a first line of defense against regulatory scrutiny by including effective protections in their technology service provider contracts.
Business continuity and incident response checklist for banks
- Is business continuity and data incident response planning a part of your compliance management system, and are there clear policies for compliance with these obligations?
- Do business continuity and data incident response matters constitute a portion of your bank’s risk assessments?
- Are qualified and knowledgeable individuals assigned to oversee the bank’s business continuity and data incident response programs?
- Has the bank discussed with its insurance provider its coverage for claims relating to data breaches occurring with one of the bank’s vendors?
- Are procedures in place for
- Updating business continuity and data breach plans?
- Conducting diligence on third-party vendors regarding business continuity and data breach response?
- Evaluating the risks posed by third-party vendor relationships to the bank, including a determination of appropriate financial penalties to the vendor, indemnification obligations and/or insurance requirements?
- Conducting a business impact analysis, or BIA, for each vendor relationship, including an analysis of mechanisms to back up data for business continuity in the event of failure?
- Developing a business resumption or fail-over mechanism for services provided through third-party vendors?
- Including business continuity and data breach obligations in third-party vendor contracts?
- Periodically testing, reviewing or auditing third-party vendors for compliance?
- Documenting the four steps of the vendor management process: (1) assessments of needs and risks, (2) diligence, (3) contracting structuring and review and (4) oversight?
- Has the bank developed clear minimum business continuity planning standards for its vendors and minimum data security standards for different classes of vendors? As part of this, has the bank developed minimum testing or third-party audit standards for vendors that it deems higher risk?
- Does the bank have a data breach incident response plan, developed in cooperation with its insurers and attorneys to satisfy customer notice obligations, remediation obligations (short- and long-term), and investigation requirements and root cause analysis?