During the early stages of the Heartbleed computer bug panic, financial institutions and their customers were justly concerned about the vulnerability of their e-banking systems. It now appears that the nation’s largest banks, including most regional banks, face little direct risk, and that many community banks continue to work with their technology vendors to determine whether their core platforms used the vulnerable version of Open SSL cryptography. On the same day Heartbleed was “publically” announced, April 7th, the FDIC re-issued its guidance “Technology Outsourcing: Informational Tools for Community Banks.”
The FDIC’s April 7 Financial Institution Letter is presented as an information resource for community bankers and their outsourcing teams. It is of three parts: guidance in selecting technology service providers, tools for managing technology vendors’ performance risk, and techniques for managing multiple technology service providers.
The first of the triumvirate, titled “Effective Practices for Selecting a Service Provider,” covers in broad terms best practices for engaging quality providers, including the RFP process, evaluation/selection, and the drafting of a final vendor contract. The second FDIC guidance document is “Tools to Manage Technology Provider’s Performance Risk: Service Level Agreements.” As implied in its title, this booklet focuses on managing vendor risks through Service Level Agreement protocol. It covers the development of successful SLA’s and how to document such agreements to better insure performance standards and service quality. The third and last, titled “Techniques for Managing Multiple Service Providers,” discusses two approaches bankers may wish to consider in order to mitigate the risks consequential with having competing technology vendors’ products in simultaneous operation at the financial institution. The two techniques covered are the “lead contractor model” and the “inter-provider agreement.”