North Dakota Bankers Association - link home

About Us Government Relations and Legal Education Business Partners Communications



FDIC Watchdog Highlights Gaps in Banks' Vendor Contracts

Posted on 2/17/2017

Few banks' contracts with technology service providers (TSPs) provide sufficient detail about the providers' business continuity and incident response capabilities and duties, according to a report issued yesterday by the FDIC's independent inspector general. The report also found shortfalls in banks' assessments of how providers could affect the banks' own ability to plan for business continuity and incident response.

In response, the FDIC said it would work with other Federal Financial Institution Examination Council agencies to update guidance on business continuity planning and incident response and that it would continue examinations and off-site monitoring of vendor management. Anecdotal reports from banks indicate that examiners are increasingly focusing on technology provider risk management. The report expressed concern that some banks "may not be sufficiently knowledgeable about or engaged in contract management" and would thus "attempt to transfer their inherent responsibility for [bank] continuity and information security to TSPs," which the IG said will require examiners' continued focus.

The report, issued after a review of 48 technology vendor contracts, found that nearly half included no discussion of business continuity. Forty-two percent included a "detailed" discussion, and 10 percent included only a "high-level" discussion. "Contract provisions that more specifically detail key business continuity issues could provide [banks] greater assurance that critical systems, services, and operations will be recovered and resumed timely and effectively when operations have been unexpectedly disrupted," the report found.

In terms of incident response, 65 percent of contracts included a detailed discussion of security and confidentiality, but only 23 percent covered performance standards in detail. The report also found that key terms in contracts lack specific definitions. "[Banks] may not be sufficiently engaged in writing and negotiating contracts to ensure their rights and TSP responsibilities are clearly defined," the report found. "TSPs appear to be drafting the contracts and ensuring that their rights are protected more than the [banks]."

Regulators continue to focus on vendor risk management, including through an interagency rulemaking on enhanced cyber risk management standards for which comments are due today. ABA staff will continue to monitor agency activities and communicate with all agencies as guidance and expectations evolve.

Read the report

Members Only
Calendar of Events

ND Banks Benefit Trust

Office Depot

2019 NDBA LEAD360 Conference

2019 Tri-State Trust Conf