Bank/Thrift Supervision   |    Capital    |    CFPB    |    Deposit Insurance    |    Interchange    |    Mortgage Finance
Municipal Advisors   |    OCC-OTS Merger   |    Preemption    |    QM - QRM    |    Swaps   |    Volcker Rule    |    Full Topics List
Qualified Mortgage - Qualified Residential Mortgage
Consumer Financial Protection Bureau - CFPB
Bank/Thrift Holding Company Supervision
Deposit Insurance
Mortgage Finance
Municipal Advisors
OCC-OTS Merger
Volcker Rule
Corporate Governance
Financial Stability Oversight Council (FSOC)
Office of Financial Research (OFR)
Systemic Risk
Supervision and Oversight
Payment, Clearing and Settlement
Prudential Supervision
Trust & Securities
Asset-Backed Securities
Resolution Authority

Friday, February 17, 2017

FDIC Watchdog Highlights Gaps in Banks’ Vendor Contracts

Few banks’ contracts with technology service providers (TSPs) provide sufficient detail about the providers’ business continuity and incident response capabilities and duties, according to a report issued by the FDIC’s independent inspector general. The report also found shortfalls in banks’ assessments of how providers could affect the banks’ own ability to plan for business continuity and incident response.

In response, the FDIC said it would work with other FFIEC agencies to update guidance on business continuity planning and incident response and that it would continue examinations and off-site monitoring of vendor management. Anecdotal reports from banks indicate that examiners are increasingly focusing on technology provider risk management. The report expressed concern that some banks “may not be sufficiently knowledgeable about or engaged in contract management” and would thus “attempt to transfer their inherent responsibility for [bank] continuity and information security to TSPs,” which the IG said will require examiners’ continued focus.

The report, issued after a review of 48 technology vendor contracts, found that nearly half included no discussion of business continuity. Forty-two percent included a “detailed” discussion, and 10% included only a “high-level” discussion. The report found
Contract provisions that more specifically detail key business continuity issues could provide [banks] greater assurance that critical systems, services, and operations will be recovered and resumed timely and effectively when operations have been unexpectedly disrupted.

In terms of incident response, 65% of contracts included a detailed discussion of security and confidentiality, but only 23% covered performance standards in detail. The report also found that key terms in contracts lack specific definitions. The report found
[Banks] may not be sufficiently engaged in writing and negotiating contracts to ensure their rights and TSP responsibilities are clearly defined. TSPs appear to be drafting the contracts and ensuring that their rights are protected more than the [banks].

Regulators continue to focus on vendor risk management, including through an interagency rulemaking on enhanced cyber risk management standards for which comments are due today. ABA staff will continue to monitor agency activities and communicate with all agencies as guidance and expectations evolve.

Read the report.

1 comment:

Post a Comment

Please read our comment policy before making a comment.