Skip to content

Exception Tracking Spreadsheet (TicklerTrax™)
Downloaded by more than 1,000 bankers. Free Excel spreadsheet to help you track missing and expiring documents for credit and loans, deposits, trusts, and more. Visualize your exception data in interactive charts and graphs. Provided by bank technology vendor, AccuSystems. Download TicklerTrax for free.

Click Now!


FDIC reminder on tech service provider contracts

Yesterday, the FDIC issued FIL-19-2019 to share examiner observations about gaps in financial institutions' contracts with technology service providers that may require financial institutions to take additional steps to manage their own business continuity and incident response. The FIL reminded agency-supervised financial institutions that:

  • Their boards of directors and senior management are responsible for managing risks related to relationships with technology service providers.
  • Effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response.
  • Recent FDIC examination findings noted that some financial institution contracts with technology service providers lack sufficient detail regarding the contract parties' respective rights and responsibilities for business continuity and incident response.
  • When contracts do not adequately address such risks, financial institutions remain responsible for assessing those risks and implementing appropriate mitigating controls.
  • Financial institutions have a responsibility under Section 7 of the Bank Service Company Act to notify their FDIC regional office of contracts or relationships with technology service providers that provide certain services to the institution.

FDIC examiners have noted that some contracts do not require the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard. Other contracts did not sufficiently detail the technology service provider's security incident responsibilities such as notifying the financial institution, regulators, or law enforcement. Also, some contracts do not clearly define key terms used in contractual provisions relating to business continuity and incident response. Undefined and unclear key contract terms could contribute to ambiguity in financial institution rights and service provider responsibilities, and could increase the risk that technology service provider business disruptions or security incidents will impair financial institution operations or compromise customer information.

The FIL included links to several resources that institutions can use to guide them in managing their technology service provider agreements.

Filed under: 

Training View All

Penalties View All

Search Top Stories