Service Provider Documentation
by Jimmy Sawyers, BOL Guru Guru Bio
Question: What should my bank have on file regarding service provider documentation? Some vendors send us tons of paper while others send nothing. What is practical and acceptable?
Answer: The Gramm-Leach-Bliley Act requires "service provider oversight" which typically includes the financial institution requesting and reviewing selected documentation from the service provider. For example, a bank might request its outsourced core processor to share its SAS 70 report (third party review of the data center) so the bank can assess the internal controls in effect at the data center.
Such information requests vary greatly ranging from financial institutions going overboard and requesting numerous documents, some irrelevant to the process, while some service providers respond with very little documentation to adequately meet the service provider requirements of the GLBA. Some service providers also see an opportunity and charge fees for such documentation.
What is a reasonable request for service provider documentation? It depends on the specific service provider and its relationship with the financial institution. Don't expect voluminous documentation including a SAS 70 report from a small Internet Service Provider, but one should expect an annual SAS 70 and other documentation from a major core processor.
A minimum checklist would include:
Confidentiality agreement (per the GLBA, may be expressed in contract, in a privacy/security notice, or a service level agreement (SLA))
Third party escrow of source code agreement
SAS 70 Report (if outsourced), preferably a Level II report
Financial Statements (preferably audited, not a review or compilation)
Proof of insurance
Back on the financial institution's side, regulators and auditors will want to see documented due diligence of the service provider selection. It's one thing to request documentation from a service provider, but it's quite another to have chosen an unstable provider due to a lack of due diligence. Cover all the bases and your next IT examination will go much smoother.
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
