The Gramm-Leach-Bliley Act requires "service provider oversight" which typically includes the financial institution requesting and reviewing selected documentation from the service provider. For example, a bank might request its outsourced core processor to share its SAS 70 report (third party review of the data center) so the bank can assess the internal controls in effect at the data center.
Such information requests vary greatly ranging from financial institutions going overboard and requesting numerous documents, some irrelevant to the process, while some service providers respond with very little documentation to adequately meet the service provider requirements of the GLBA. Some service providers also see an opportunity and charge fees for such documentation.
What is a reasonable request for service provider documentation? It depends on the specific service provider and its relationship with the financial institution. Don't expect voluminous documentation including a SAS 70 report from a small Internet Service Provider, but one should expect an annual SAS 70 and other documentation from a major core processor.
A minimum checklist would include:
- Confidentiality agreement (per the GLBA, may be expressed in contract, in a privacy/security notice, or a service level agreement (SLA))
- Third party escrow of source code agreement
- SAS 70 Report (if outsourced), preferably a Level II report
- Financial Statements (preferably audited, not a review or compilation)
- Proof of insurance
Back on the financial institution's side, regulators and auditors will want to see documented due diligence of the service provider selection. It's one thing to request documentation from a service provider, but it's quite another to have chosen an unstable provider due to a lack of due diligence. Cover all the bases and your next IT examination will go much smoother.
First published on BankersOnline.com 1/29/07