On April 2, 2019, the FDIC released FIL-19-2019. The Financial Institution Letter (FIL) highlighted examiner observations related to technology service provider contracts. Although the regulatory guidance is not new, the examiner observations are clear.
Financial institution boards of directors and senior management are responsible for managing risk related to outsourced technology service providers. When contracts with third-party service providers lack sufficient detail and do not adequately address applicable risks, such as business continuity and incident response, the responsibility to assess those and subsequent risks and implement appropriate mitigating controls continues to rest squarely on the shoulders of the financial institution. Obtaining supplementary business continuity documentation from the service provider or modifying the financial institution’s own business continuity plan to address contractual uncertainties may be required to effectively monitor and mitigate the additional risk exposure caused by weak contractual agreements.
Interestingly, the FIL also called out the well-known Bank Service Company Act (Section 7) that requires financial institutions to notify their appropriate regulatory agency of contracts with technology vendors that provide certain services. It begs the question: Have financial institutions let some of the basic, long standing requirements slip through the cracks over time? Perhaps so. Self-identification now, rather than waiting for findings during heightened scrutiny from regulators, is in the best interest of every financial institution and its customers.
Fortrex is ready to help! Contact us to discuss the best solution(s) for your situation – to ease the stress of TPRM and keep your institution compliant.