On April 2, 2019, the Federal Deposit Insurance Corporation (FDIC) provided notice to all FDIC-supervised institutions that examiners have observed certain deficiencies in banks' contracts with technology service providers and that such observations are being noted in reports of examination.1 All depository institutions, whether subject to examination by the FDIC or another regulator, should use this notice as an opportunity to review their relationships with technology service providers and ensure vendor contracts meet regulatory expectations.
What are the FDIC's observations?
The FDIC's financial institution letter states that examiners have observed the following deficiencies in contracts between banks and technology service providers:
- Inadequate definition of rights and responsibilities regarding business continuity and incident response;
- Insufficient detail to allow banks to manage business continuity and incident response;
- No requirement for the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard;
- Insufficient detail relating to the technology service provider's security incident responsibilities (e.g., notification requirements); and
- Unclear definitions of key contract terms, which could contribute to ambiguity in the rights and responsibilities of the parties.
What does this mean for your bank?
Ensuring that the bank's contracts with its third-party vendors adequately address business continuity and incident response risks, as well as other regulatory expectations communicated through numerous agency publications and regulations, could save the bank from criticisms in its next examination and enhance the resiliency and safety and soundness of the institution. The FDIC's financial institution letter serves as an important reminder for banks to review such contracts, with a particular focus on higher-risk relationships, such as core software providers or relationships that are governed by long-term contracts or contracts subject to automatic renewal.
The FDIC also reminds banks of their statutory obligation to provide written notification to their regulator of certain service relationships within 30 days of entering into the contract or from the performance of the service. Notification is required for any relationship relating to permissible bank service company activities (e.g., check and deposit sorting and posting, computation and posting of interest, bookkeeping, accounting, mobile banking services). To assist banks in complying with the notice requirements, the FDIC developed FDIC Form 6120/06, Notification of Performance of Bank Services.
1. Technology Service Provider Contracts, FIL-19-2019 (Apr. 2, 2019).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.