Last week, the FDIC (“Federal Deposit Insurance Corporation”) sent out one of its periodic Financial Institution Letters. This one is about Technology Service Provider Contracts, so if you’re the compliance officer or a member of senior management of a financial institution with activities in the US and your firm works with technology services providers, you need to read this analysis.
Who is the FDIC and what’s a Financial Institution Letter?
The U.S. Federal Deposit Insurance Corporation is an independent agency with the objective to maintain stability and public confidence in the nation’s financial system by insuring deposits, as well as examining and supervising financial institutions for safety and soundness and consumer protection amongst other things.
Financial Institution Letters (FILs) are addressed to the senior officers, i.e. CEOs of the financial institutions supervised by the FDIC. FILs may announce new regulations and policies, new FDIC publications, and a variety of other matters of principal interest to those responsible for operating a bank or savings association.
What is it about?
During the exams of the firms it supervises, the FDIC has found gaps in the contracts of financial institutions with technology service providers. The firms are held to look into these potential gaps in their own contracts to determine whether additional steps are required to manage their own business continuity and incident response.
Why is it important?
In the words of the FDIC: “Financial institutions often contract with technology service providers for services to the institution and its customers. Technology outsourcing relationships frequently integrate the systems and processes of the service provider and financial institution. This integration can impact how financial institutions manage their own processes such as business continuity and incident response. When services are outsourced, a financial institution’s board of directors and senior management are responsible for managing the risks posed by those services as if they were performed within the institution. Contracts are a critical tool for documenting agreement between financial institutions and their technology service providers on the levels of service required.”
Or in other words: the responsibility of the board of directors and senior management doesn’t stop at the firm’s buildings doors – it extends to risks related to relationships with technology service providers.
This is particularly important in times of increasing cyber risks but it is equally relevant for partnerships with FinTechs. These relationships continue to gain importance and the FDIC has discovered that some financial institution contracts with technology service providers lack sufficient detail regarding the contract parties’ respective rights and responsibilities for business continuity and incident response. If these contracts do not adequately address such risks, financial institutions remain responsible for assessing those risks and implementing appropriate mitigating controls.
Who should read it?
Anyone on the boards of directors and senior management of a financial institution – regardless whether FDIC regulated or not since the principles apply in other regulatory relationships, too.
It’s also mandatory reading for Chief Compliance Officers, CTOs and anyone with responsibility regarding third party services at financial firms.
Where can I find out more?
The full Financial Institution Letter entitled “Technology Service Provider Contracts – FIL-19-2019” of Aril 2, 2019 can be found here and the FDIC website provides additional information on the subject. As a fun fact and for anyone interested in the FDIC’s work on FinTech, the authority just announced that its first financial technology research conference to take place on April 24, 2019 with a focus on FinTech and the Future of Banking.