The FDIC recently released a letter outlining common deficiencies noted in financial institutions’ contracts with technology service providers. Quantivate’s compliance attorney, Brian Witt of law firm Farleigh Wada Witt, has provided an overview below.
On April 2, 2019, the FDIC issued a letter (FIL 19-2019 Technology Service Provider Contracts) to all FDIC-supervised institutions that describes FDIC examiner observations about gaps in banks’ contracts with technology service providers and inadequate management of business continuity and incident response functions.
The FDIC’s letter states that examiners have observed common deficiencies in contracts between banks and technology service providers that do not adequately define or address the rights and responsibilities in the areas of business continuity and incident response.
The FDIC specifically noted bank contracts do not:
The FDIC clearly stated that these vendor management deficiency observations are being noted in reports of examination.
The FDIC encourages financial institutions, as part of their due diligence and ongoing monitoring, to ensure that business continuity and incident response risks are adequately addressed in service provider contracts. Long-term contracts and contracts that automatically renew may be at higher risk for coverage gaps. To mitigate these deficiencies, a financial institution may need to obtain supplementary business continuity documentation from the service provider, or modify the institution’s own business continuity plan to address contractual uncertainties.
The FDIC also reminded banks of their statutory obligation to provide written notification to their federal banking regulator of contracts or relationships with technology service providers that provide certain services. (e.g., check and deposit sorting and posting, computation and posting of interest, bookkeeping, accounting, mobile banking services). To help institutions comply with the notice requirements, the FDIC developed an optional form, FDIC Form 6120/06, for such notices.
The FDIC’s concerns raised in its recent letter are not new but a continued focus and concern about bank technology service provider contracts. Back in 2017, the FDIC highlighted similar points in its report Technology Service Provider Contracts with FDIC-Supervised Institutions, which examined shortfalls in bank vendor contracts with technology service providers. The FDIC Inspector General’s report findings addressed two common areas of bank vendor management problems:
In many vendor management programs, vendor contract reviews consist of simply cataloguing key contract section headings without actual risk analysis or mitigation. Such vendor contract reviews are pointless. All financial institutions, whether examined by the FDIC, NCUA, or another federal banking regulator, should carefully review their technology service provider relationships—in particular due diligence and vendor contracts requirements—for business continuity and incident response responsibilities, to avoid increased risk and examination scrutiny.
Brian is an attorney with Farleigh Wada Witt who specializes in representing financial service providers on regulatory and compliance issues.
Farleigh Wada Witt is the premier financial services law firm in the Pacific Northwest providing comprehensive vendor management guidance and support to financial services clients. With over 30 years of experience, we assist banks and credit unions of all sizes in managing vendor management legal, regulatory and operational issues.