Skip to content

Due Diligence On Service Providers

Answered by: 

Question: 
I have been hearing from some fellow bankers that their examiners are stating that it is required as part of BSA for the bank to perform due diligence on their service providers as it relates to hacking instances. In particular they are requiring clauses in their third party contracts which require notification to the bank within a certain number of hours on all hacker attempts. This sounds like a good idea and sounds more like a Privacy issue, but I can't find in BSA where this is required.
Answer: 

You won't find this in BSA. But there is a great deal of guidance from the regulatory agencies relating to outsourcing and technology providers. In addition, the Interagency Guidelines for Safeguard Customer Information impose stringent requirements with respect to service providers.

The guidelines state, in pertinent part:
D. Oversee Service Provider Arrangements. Each bank shall:
1. Exercise appropriate due diligence in selecting its serviceproviders;

2. Require its service providers by contract to implementappropriate measures designed to meet the objectives of theseGuidelines; and

3. Where indicated by the bank's risk assessment, monitor itsservice providers to confirm that they have satisfied theirobligations as required by paragraph D.2. As part of thismonitoring, a bank should review audits, summaries of test results,or other equivalent evaluations of its service providers.

Knowing the hacking track record of the vendor is an essential part of your due diligence in the selection process -- as well as your oversight responsibility on a go-forward basis.

BOL Related Product:

Video: Safeguarding Customer Information

First published on BankersOnline.com 7/1/02

First published on 07/01/2002

Search Topics