Financial Institution Letter Shows FDIC is Serious About Tech Contracts
In recent years, bank regulators have increased their efforts to require banks to appropriately handle third-party risk management. On April 2, the Federal Deposit Insurance Corporation (FDIC) issued a Financial Institution Letter emphasizing this point. FIL-19-2019 describes examiner observations regarding gaps in the contracts that financial instructions have with technology service providers. Because of these gaps, the FDIC requires banks to take additional steps to manage business continuity and incident response where contracts are lacking.
Financial institutions rely on technology services for a wide variety of functions. It is not practical to provide all of these services in-house, so banks often rely on third-party service providers. In last week's FIL, the FDIC emphasized the point that even where services are outsourced, the financial institution's board of directors and senior management are responsible for managing third-party vendor risks as if they were performed within the institution.
FDIC examiners found that many bank contracts lack requirements for a business continuity plan. They also frequently lack standards for data recovery along with appropriate remedies when a recovery standard is missed. Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, promulgated under the Gramm-Leach-Bliley Act.
Given the FDIC's stance that directors and senior management are responsible for outsourced activities, the letter requires banks to secure back-up plans and mitigating controls where a contract has gaps in business continuity and incident response. This might mean obtaining additional documentation on the service provider's business continuity plans or modifying the bank's plan to address gaps in coverage by the service provider.
Of course, the best way to handle this concern is to negotiate appropriate service provider contracts in the first place. Most bank technology contracts tend to be difficult to read and use, acutely slanted toward the service provider, and lacking key provisions. They also fail to provide much in the way of recourse to the bank, as noticed by the FDIC.
However, the tide is beginning to turn. Pressure from regulators such as the FDIC provides banks with important ammunition in the quest to secure reasonable and fair technology contracts. With the right negotiation strategy and persistence, banks can achieve a much better risk allocation. A good vendor diligence program can uncover weakness in business continuity and data recovery early in the process. Any reputable vendor should be willing to cover both of these issues in detail, helping banks to avoid internal backup plans required by this recent FIL.