Big brother is watching…and it isn’t a bad thing. In fact, it is a very good thing, one that has the potential to strengthen the entire financial services industry.
In February, the Office of the Inspector General released “Technology Service Provider Contracts with FDIC-Supervised Institutions.” This report summarized 48 servicing contracts at 19 financial institutions.
While not a very large sample, the results obtained are consistent with what I have seen as I have reviewed contracts over the last several years. Obviously, these contracts are for outsourced services, but even banks that utilize in-house core processing are affected as they are increasingly reliant on outsourced services to service their customers in areas such as ATM/debit card processing and internet/mobile banking and related services.
Both of the above delivery channels are crucial for your customers and both contain sensitive customer data. Business continuity and cyber security were key focuses in this study both of which apply to the services I noted, plus more if your institution is using outsourced core processing.
The report’s Evaluation Results in part state: “We did not see evidence, in the form of risk assessments or contract due diligence, that most of the FDIC-supervised FIs we reviewed fully considered and assessed the potential impact and risk that TSPs may have on FIs ability to manage its own business continuity planning and incident response and reporting operations.
“Typically, FI contacts with TSPs did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights. Contracts also did not sufficiently define key terminology related to business continuity and incident response. As a result, FI contracts with TSPs we reviewed provided FIs with limited information and assurance that TSPs (1) could recover and resume critical systems, services and operations timely and effectively if disrupted; and (2) would take appropriate steps to contain and control incidents and report them timely to appropriate parties.”
Let’s break down the above paragraph as there are two important findings to consider. The first part focuses on FIs not fully considering risk when evaluating TSPs and their impact on the FIs business. In my experience working with banks evaluating core vendors or in contract renewal, it is evaluated but not to the extent necessary to satisfy the regulators. I expect vendor management standards in this area to be strengthened in the next year. Risk management will need to include an understanding of recovery point objective and recovery time objective. (Links Below)
The second part of the paragraph will require the TSPs to respond with additional contractual commitments to detail their response when service outages or breaches occur. Contracts today do provide some commitments to this effect, however, they are very basic. There needs to be a committed restoration of services within a specific time period when failure occurs. In addition, there needs to be a better definition of TSPs’ responsibilities once a cyber security event occurs. Neither is provided today. Nor have they been required by regulation - which is primarily why they are not in contracts today. This aligns with performance standards which every service agreement must have. It goes one step further though, as no vendor today provides expectations in the contract for resumption of services. At least, none that I have seen. I will discuss performance standards more in depth in my next blog.
The Inspector General’s report is just the beginning. Recommendations are not to be completed until October 2017. There is plenty of time for your financial institution to research these guidelines, to become educated in what may be new concepts, and to review you vendor’s risk management policy.Technology Service Provider Contracts with FDIC-Supervised Institutions Recovery Point Objective Recovery Time Objective