FDIC Reminds Small Banks of Need to Oversee Technology Service Providers

Mark Dabertin, Richard Eckman, Avinoam Erdfarb
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Pepper Hamilton LLP

The need to control risks associated with using third-party technology service providers was reemphasized by the FDIC for institutions with less than $1 billion in assets in a new financial institutions letter (FIL) FIL-19-2019, “Technology Service Provider Contracts.” Released on April 2,  2019.  This FIL was prompted by failings in third-party oversight uncovered in recent examinations. It reiterates guidance previously issued in FIL-44-2008, “Guidance for Managing Third-Party Risk,” and emphasizes the importance of complying with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information. Nothing in the FIL creates new supervisory expectations or otherwise breaks new ground.

FIL-19-2019 reiterates that contracts are a key component of effective third-party oversight and notes that recent FDIC reviews of technology contracts have revealed a lack of specificity with respect to responsibilities concerning business continuity and data security incident response. Those reviews also indicated a lack of appropriate ongoing monitoring and general oversight. In addition, FIL-19-2019 highlights the requirement to notify regulators regarding relationships with technology service providers that provide certain types of services. Finally, the FIL concludes by providing a link to a form that banks can use to provide this notification.

Pepper Points

  • In response to strong urging by the FDIC,1 banks are increasingly looking to partner with fintechs in order to enhance the speed and quality of customer service and provide innovative products and services. FIL-19-2019 reinforces the need for conducting appropriate due diligence before entering into any of these relationships.

  • Contract deficiencies are often the result of inadequate vendor planning and risk identification. Unless the applicable risks have been effectively identified by involving all key stakeholders in the planning process, the resulting service provider agreement is unlikely to provide the necessary information and reporting to perform effective oversight.

  • All banks that utilize the services of third-party technology providers, and not only small institutions, should review existing contracts against the risks and potential deficiencies highlighted in FIL-19-2019.

 

Endnotes

1 See: https://www.pepperlaw.com/events/fintech-2019-present-past-and-future-2019-02-19/.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide