About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 1 (June 20, 2019)

handle is hein.crs/govbadt0001 and id is 1 raw text is: Technology Service Providers for Banks Surveys suggest that convenience is the primary reason why consumers select a bank or credit union. Features such as mobile and online banking have become an important contributor to consumer satisfaction. As more banking transactions are conducted digitally, financial institutions that lack in-house expertise are increasingly relying upon third-party vendors, specifically technology service providers (TSPs). TSPs develop the software and customer interfaces for customer account and payment services as well as maintain the digital technology. As reliance on TSPs grows, regulators are scrutinizing how banks manage their operational risks, the risk of loss having to do with failed internal controls, people, and systems, or from external events (as defined by the Basel Committee on Bank Supervision). Rising operational risks, specifically in the form of cyber risks (e.g., unauthorized access to customer data), have compelled regulators to scrutinize security programs aimed at mitigating operational risk. Cyber-related disruptions can potentially weaken public trust and confidence in the financial system, thus increasing the potential of a systemic risk panic (i.e., run on bank) event. Consequently, managing cyber-related risks (relative to other types of financial risks) and the associated costs have grown in importance. Regulatory Background Banking regulators have a broad set of authorities to supervise vendors, such as TSPs, that have contractual relationships with banks. In addition, using vendors does not reduce an institution's responsibility to ensure that actions are performed in a safe and sound manner. Activities conducted through a TSP must meet the same regulatory requirements as if they were performed by the supervised depository institution itself. Two laws are of interest: the Bank Service Company Act (BSCA; P.L.87-856) and the Gramm-Leach-Bliley Act (GLBA; P.L. 106-102). The BSCA provides federal depository institution regulators with authority to examine and regulate TSPs that provide services to banks, including check and deposit sorting and posting, preparation of statements, notices, bookkeeping, and accounting. Section 501 of GLBA requires federal depository regulatory agencies (as well as the Federal Trade Commission) to establish appropriate standards for financial institutions to ensure the security and confidentiality of customer information. In 2001, the prudential depository regulators issued interagency guidelines requiring banks to establish information security programs that, among other things, regularly assess the risks to consumer information (in paper, electronic, or other form) and implement appropriate policies, procedures, testing, and training to mitigate risks that could cause substantial harm and inconvenience to customers. The guidance requires banks to provide Updated June 20, 2019 continuous oversight of vendors to ensure that appropriate security measures are maintained. The regulators periodically update guidance pertaining to vendors. For example, the Federal Deposit Insurance Company (FDIC) emphasized in a 2008 Financial Institutions Letter (Guidance for Managing Third-Party Risk) that a financial institution's management is ultimately responsible for risks arising when activities are conducted through third-party relationships. In October 2012, the Federal Financial Institutions Council (FHEC) issued a revised Supervision of Technology Service Providers booklet; the Federal Reserve System, the FDIC, and the Office of the Comptroller of the Currency concurrently issued new Administrative Guidelines for the Implementation of the Interagency Program for the Supervision of Technology Service Providers. In April 2014, the FDIC re-issued suggested guidelines for bank directors to consider when outsourcing essential banking functions to TSPs. The National Credit Administration (NCUA), the primary regulator for the credit union system, shares similar concerns. (See Additional Resources below.) Concerns Related to TSP Relationships The Office of Inspector General at the FDIC (OIG-FDIC) frequently audits the FDIC's oversight process for identifying and monitoring TSPs used by FDIC-supervised institutions and for prioritizing examination coverage. In the 2017 audit, the OIG-FDIC reviewed 48 contracts negotiated between TSPs and 19 banking firms and underscored the following concerns. * Some contracts lacked provisions that would contractually require TSPs to implement appropriate measures to meet objectives stated in the Interagency Guidelines (e.g., protecting against unauthorized access to or use of sensitive nonpublic personal information). * Some contracts lacked provisions that would establish business continuity plans, or provisions specifying how quickly operating systems would be restored after a cyber-related disruption. Some contracts had limited information and assurance that TSPs would have sufficient recovery capabilities if their systems were compromised. * Some contracts lacked provisions that would require TSPs to provide incident response reports after an adverse incident. OIG-FDIC stated that banks should be notified when incidents, such as unauthorized access or misuse of customer information stored in a TSP's data system, occur; the actions taken; the response times; and controls taken to prevent further adverse incidents. https:I/crsreports.conc -- _-_

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most