FDIC Warns Financial Institutions About Vendor Management & Business Continuity Deficiencies

On April 2, 2019, the FDIC issued a letter (FIL 19-2019 Technology Service Provider Contracts) to all FDIC-supervised institutions that describes FDIC examiner observations about gaps in banks’ contracts with technology service providers and inadequate management of business continuity and incident response functions.

FDIC Examiner Observations & Concerns

The FDIC’s letter states that examiners have observed common deficiencies in contracts between banks and technology service providers that do not adequately define or address the rights and responsibilities in the areas of business continuity and incident response.

The FDIC specifically noted bank contracts do not:

• Define technology service provider responsibilities regarding business continuity and incident response
• Require technology service providers to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard
• Provide adequate contract provisions relating to the technology service provider’s security incident responsibilities (e.g., notification requirements)
• Provide adequate contract provisions to allow banks to manage business continuity and incident response
• Clearly define key contract terms for business continuity and incident response, which could increase risk during security incidents and disruptions

The FDIC clearly stated that these vendor management deficiency observations are being noted in reports of examination.

Vendor Management Requirements & Actions 

The FDIC encourages financial institutions, as part of their due diligence and ongoing monitoring, to ensure that business continuity and incident response risks are adequately addressed in service provider contracts. Long-term contracts and contracts that automatically renew may be at higher risk for coverage gaps. To mitigate these deficiencies, a financial institution may need to obtain supplementary business continuity documentation from the service provider, or modify the institution’s own business continuity plan to address contractual uncertainties.

The FDIC also reminded banks of their statutory obligation to provide written notification to their federal banking regulator of contracts or relationships with technology service providers that provide certain services. (e.g., check and deposit sorting and posting, computation and posting of interest, bookkeeping, accounting, mobile banking services). To help institutions comply with the notice requirements, the FDIC developed an optional form, FDIC Form 6120/06, for such notices.

Continued FDIC Concerns

The FDIC’s concerns raised in its recent letter are not new but a continued focus and concern about bank technology service provider contracts. Back in 2017, the FDIC highlighted similar points in its report Technology Service Provider Contracts with FDIC-Supervised Institutions, which examined shortfalls in bank vendor contracts with technology service providers. The FDIC Inspector General’s report findings addressed two common areas of bank vendor management problems:

• Vendor Contract Reviews: common deficiencies in TSP vendor agreements
• Business Continuity & Incident Response Risk Management: common oversights of business continuity and incident response planning

In many vendor management programs, vendor contract reviews consist of simply cataloguing key contract section headings without actual risk analysis or mitigation. Such vendor contract reviews are pointless. All financial institutions, whether examined by the FDIC, NCUA, or another federal banking regulator, should carefully review their technology service provider relationships—in particular due diligence and vendor contracts requirements—for business continuity and incident response responsibilities, to avoid increased risk and examination scrutiny.

Brian is an attorney with Farleigh Wada Witt who specializes in representing financial service providers on regulatory and compliance issues.

Farleigh Wada Witt is the premier financial services law firm in the Pacific Northwest providing comprehensive vendor management guidance and support to financial services clients. With over 30 years of experience, we assist banks and credit unions of all sizes in managing vendor management legal, regulatory and operational issues.