Posts filed under ‘FinTech’

Bank/Tech Contract Concerns Issued By FDIC IG

Written by: Lindsay Harden

The FDIC’s independent Office of Inspector General (OIG) issued a report late last week detailing a study it conducted of contracts between financial institutions and technology service providers (TSPs). The report concluded that such contracts are commonly not sufficient to address certain risks that are inherent in these relationships. Specifically, contracts with TSPs frequently lack specificity and completeness with respect to business continuity and incident response procedures and obligations.

For several years the financial regulatory agencies have shown an interest in third-party risk management, including ensuring adequate protection of private customer information. Recently, the FDIC and FFIEC have engaged in further initiatives related to cybersecurity and outsourcing of technology services. However, according to the FDIC’s Division of Risk Management Supervision, contracts with TSPs are generally out of date and do not reflect recent efforts to strengthen cybersecurity.

Based on a review of 48 contracts between financial institutions and TSPs, the OIG report made the following findings:

  • Financial institution analyses do not fully consider business continuity and incident response risks presented by TSPs
  • Key contract provisions provide limited coverage of the TSP’s business continuity planning and incident response and reporting responsibilities
  • Key contract terms lack clear and specific definition
  • The FDIC has implemented numerous initiatives to address cybersecurity risks
  • Financial institution third-party relationship risks remain and will require continued supervisory attention

In addition, the report provided some examples of necessary types of provisions that are frequently missing from contracts. For instance, only half of the contracts reviewed explicitly included business continuity provisions, and only a handful established clear performance standards and remedies for failure to meet those standards. Furthermore, many key terms used in regulatory and supervisory guidance—including “misuse of information,” “unauthorized access,” “significant disruption,” and “cyber event”—were often unused, undefined, or inadequately defined in TSP contracts.

The FDIC has plans to take certain actions by October of 2018 to follow up on the OIG’s recommendations in the report. One such action is continuing to communicate to financial institutions the importance of effective contracts with TSPs through the FDIC’s risk management supervision program, which includes guidance, examination procedures, examinations, and off-site monitoring.

The OIG report and potential FDIC action provide banks with additional leverage in negotiating TSP contracts. Affected banks should closely review existing contracts, and if your contracts are close to renewal, or if you are considering adding services under those contracts, you have an opportunity to address deficiencies.  You should review the terms of the agreement and work with counsel to identify gaps in existing or proposed agreements. Please contact us if you need assistance, as we have significant experience negotiating and drafting contracts with TSPs and assisting banks with TSP vendor diligence.

For more information, please contact Karen Garrett or Steve Cosentino, leaders of our fintech practice.

February 23, 2017 at 10:00 am

National Bank Charters for FinTech Companies

Written by: P. Michael Campbell

On Friday December 2nd, the Office of the Comptroller of Currency (“OCC”) announced that it would start considering applications for special purpose national bank charters from fintech (financial technology) companies.  The OCC believes that providing fintech companies charters will establish a regulatory framework for the fintech industry.  As noted by the OCC, a company receiving the special purpose national bank charter will be “held to the same rigorous standards of safety and soundness, fair access, and fair treatment of customers that apply to national banks and federal savings associations.”

In addition to regulation by the OCC, a fintech company receiving a charter could be subject to regulation from other governmental bodies, including the Federal Reserve, Federal Deposit Insurance Corporation and the Consumer Financial Protection Bureau.

Any company seeking a special purpose national bank charter is expected to have a well-developed business plan setting forth in “significant detail” the bank’s activities. The plan must also cover the governance structure, capital, liquidity, compliance risk management, financial inclusion and recovery and exit strategies.

SLS is well positioned to advise any company seeking a special purpose national bank charter. SLS has experts in every aspect of the application process and years of experience working with regulatory agencies.

The OCC’s proposal is open for comment until January 15th and is expected to receive many comments as the move has been both applauded and criticized in the financial and banking industry.  SLS will continue to monitor any developments with the OCC’s announcement.

December 6, 2016 at 8:00 am


Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo

Categories

A legal resource for Banking & Financial Services

Archives


%d bloggers like this: