Understanding the increasing dependence that financial institutions have on technology service providers, bank regulators have ramped up their efforts to require banks to appropriately handle third-party risk management. The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance. These contracts were missing or inadequately addressed key provisions, such as:
- Requiring the service provider to maintain a business continuity plan,
- Lacking standards for data recovery along with appropriate remedies when a recovery standard is missed.
- Defining key terms in the contracts relevant to business continuity and/or incident response.
Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, as promulgated under the Gramm-Leach-Bliley Act.
Vendors that provide technology-related services can create special risks for depository institutions that must be properly addressed in their service contracts. The FDIC indicated that it plans to hold boards and senior management of financial institutions accountable for controlling those risks, in accordance with the requirements of the law and its existing regulatory guidance.
Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract. All financial institutions should have provisions that they review for all of their contracts, along with a robust vendor management program that will help uncover any weakness in business continuity and data recovery early in the process.