The need to control risks associated with using third-party technology service providers was reemphasized by the FDIC for institutions with less than $1 billion in assets in a new financial institutions letter (FIL) FIL-19-2019, “Technology Service Provider Contracts.” Released on April 2, 2019. This FIL was prompted by failings in third-party oversight uncovered in recent examinations. It reiterates guidance previously issued in FIL-44-2008, “Guidance for Managing Third-Party Risk,” and emphasizes the importance of complying with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information. Nothing in the FIL creates new supervisory expectations or otherwise breaks new ground.
FIL-19-2019 reiterates that contracts are a key component of effective third-party oversight and notes that recent FDIC reviews of technology contracts have revealed a lack of specificity with respect to responsibilities concerning business continuity and data security incident response. Those reviews also indicated a lack of appropriate ongoing monitoring and general oversight. In addition, FIL-19-2019 highlights the requirement to notify regulators regarding relationships with technology service providers that provide certain types of services. Finally, the FIL concludes by providing a link to a form that banks can use to provide this notification.
In response to strong urging by the FDIC,1 banks are increasingly looking to partner with fintechs in order to enhance the speed and quality of customer service and provide innovative products and services. FIL-19-2019 reinforces the need for conducting appropriate due diligence before entering into any of these relationships.
Contract deficiencies are often the result of inadequate vendor planning and risk identification. Unless the applicable risks have been effectively identified by involving all key stakeholders in the planning process, the resulting service provider agreement is unlikely to provide the necessary information and reporting to perform effective oversight.
All banks that utilize the services of third-party technology providers, and not only small institutions, should review existing contracts against the risks and potential deficiencies highlighted in FIL-19-2019.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.