FDIC FIL-19-2019 Technology Service Provider Contracts
Technology Service Provider Contracts
April 2, 2019
The FDIC has published a new Financial Institution Letter (FIL) that highlights examiner observations about gaps in financial institution’s contracts with technology service providers. The examiners have noted in recent FDIC reports of examination that some financial institution contracts with technology service providers (TSP) may not adequately address business continuity and incident response.
Bottom line, financial institutions need to review contracts with technology service providers and ensure that either the appropriate language is in the contract, or the FI needs to assess any risks and implement compensating controls to mitigate them.
Items for consideration include:
- Contracts need to require the TSP to maintain and provide a business continuity plan to the FI, as well as testing results
- Contracts need to include recovery standards, or define contractual remedies if the TSP misses a recovery standard
- Contracts need to include the TSP’s security incident responsibilities, such as notifying the FI, regulators, or law enforcement
What needs to be done?
FI’s are encouraged to ensure that business continuity and incident response risks are addressed in the initial due diligence, as well as ongoing monitoring. That said, if an existing contract does not include the appropriate verbiage, then the FI should work with the TSP to either amend the contract, or implement compensating controls to mitigate any risks.
Lastly, Section 7 of the Bank Service Company Act (Act) (12 U.S.C. 1867) requires depository institutions to notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services. Services covered by Section 3 of the Act include check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, Internet banking, or mobile banking services.
To help institutions comply with the Act’s notification requirements, the FDIC has developed a form, FDIC 6120/06 (4-99). The form is optional, and the information requested on this form may be submitted to the FDIC in any format. Notifications should be sent to the institution’s FDIC regional office. You can access the form by clicking this link:
Call us if we can help you!