FDIC Issues Guidance Identifying Gaps in Technology Service Provider Contracts
The FDIC issued Financial Institution Letter FIL-19-2019 describing examiner observations about “gaps in financial institutions’ contracts with technology service providers that may require financial institutions to take additional steps to manage business continuity and incident response.” Specifically, examiners noted contractual deficiencies in recent reports of examination, including:
- Inadequate definition of rights and responsibilities regarding business continuity and incident response;
- Insufficient detail to allow banks to manage business continuity and incident response;
- No requirement for the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard;
- Insufficient detail relating to the technology service provider’s security incident responsibilities (e.g., notification requirements); and
- Unclear definitions of key contract terms, which could contribute to ambiguity in the rights and responsibilities of the parties.
The letter also notes that the Interagency Guidelines Establishing Information Security Standards, which were promulgated pursuant to the Gramm-Leach-Bliley Act and incorporated into the FDIC’s Rules and Regulations as Appendix B to Part 364, establish standards for safeguarding customer information. Such guidelines set the FDIC’s expectations for managing technology service provider relationships through contractual terms and ongoing monitoring, and financial institutions must account for these requirements in their contracts with technology service providers.
The FDIC references prior guidance that can be used to mitigate risk in third-party relationships, including, the Business Continuity Booklet set forth in the FFIEC IT Examination Handbook, and the FDIC’s Guidance for Managing Third-Party Risk, which “provides additional information for managing outsourcing risk including information on contract structure, contract reviews, and service provider oversight.”
Finally, the FDIC reminds depository institutions of their obligations, under the Bank Service Company Act, to “notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services.” These services include check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, Internet banking, or mobile banking services.