Posts filed under ‘cybersecurity’

Written by: Lindsay Harden

Yesterday the OCC issued Frequently Asked Questions (“FAQs”) to supplement OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance.” The FAQs provide helpful guidance to banks on subjects including working with fintech companies, reducing oversight costs for lower-risk third-party relationships, and engaging in marketplace lending arrangements with non-bank entities. Portions of this guidance may be particularly useful for community banks who wish to leverage resources by distributing costs among multiple banks. For example, the OCC clarified in the FAQs that banks using a common third-party service provider may collaborate with each other to meet certain OCC expectations with respect to performing due diligence, contract negotiation, and ongoing monitoring responsibilities. The FAQs also make clear that a bank may outsource certain compliance management functions or collaborate with a group of banks to manage cybersecurity issues, as additional cost saving alternatives.

June 8, 2017 at 2:11 pm

Bank/Tech Contract Concerns Issued By FDIC IG

Written by: Lindsay Harden

The FDIC’s independent Office of Inspector General (OIG) issued a report late last week detailing a study it conducted of contracts between financial institutions and technology service providers (TSPs). The report concluded that such contracts are commonly not sufficient to address certain risks that are inherent in these relationships. Specifically, contracts with TSPs frequently lack specificity and completeness with respect to business continuity and incident response procedures and obligations.

For several years the financial regulatory agencies have shown an interest in third-party risk management, including ensuring adequate protection of private customer information. Recently, the FDIC and FFIEC have engaged in further initiatives related to cybersecurity and outsourcing of technology services. However, according to the FDIC’s Division of Risk Management Supervision, contracts with TSPs are generally out of date and do not reflect recent efforts to strengthen cybersecurity.

Based on a review of 48 contracts between financial institutions and TSPs, the OIG report made the following findings:

  • Financial institution analyses do not fully consider business continuity and incident response risks presented by TSPs
  • Key contract provisions provide limited coverage of the TSP’s business continuity planning and incident response and reporting responsibilities
  • Key contract terms lack clear and specific definition
  • The FDIC has implemented numerous initiatives to address cybersecurity risks
  • Financial institution third-party relationship risks remain and will require continued supervisory attention

In addition, the report provided some examples of necessary types of provisions that are frequently missing from contracts. For instance, only half of the contracts reviewed explicitly included business continuity provisions, and only a handful established clear performance standards and remedies for failure to meet those standards. Furthermore, many key terms used in regulatory and supervisory guidance—including “misuse of information,” “unauthorized access,” “significant disruption,” and “cyber event”—were often unused, undefined, or inadequately defined in TSP contracts.

The FDIC has plans to take certain actions by October of 2018 to follow up on the OIG’s recommendations in the report. One such action is continuing to communicate to financial institutions the importance of effective contracts with TSPs through the FDIC’s risk management supervision program, which includes guidance, examination procedures, examinations, and off-site monitoring.

The OIG report and potential FDIC action provide banks with additional leverage in negotiating TSP contracts. Affected banks should closely review existing contracts, and if your contracts are close to renewal, or if you are considering adding services under those contracts, you have an opportunity to address deficiencies.  You should review the terms of the agreement and work with counsel to identify gaps in existing or proposed agreements. Please contact us if you need assistance, as we have significant experience negotiating and drafting contracts with TSPs and assisting banks with TSP vendor diligence.

For more information, please contact Karen Garrett or Steve Cosentino, leaders of our fintech practice.

February 23, 2017 at 10:00 am


Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo

Categories

A legal resource for Banking & Financial Services

Archives


%d bloggers like this: