Examiners Find Technology Contracts Lack Sufficient Detail for Business Continuity and Incident Response
On April 2, 2019, the Federal Deposit Insurance Corporation (FDIC) issued Financial Institution Letter (FIL) 19-2019 about technology service provider contracts. Most financial institutions contract with third party service providers for a variety of products and services. FDIC examiners have found in recent exams that some financial institution contracts with technology service providers may not adequately define rights and responsibilities regarding business continuity and incident response. These contracts may also not provide adequate detail to allow financial institutions to manage those processes and risks. The FDIC encourages financial institutions to ensure that business continuity and incident response risks are adequately addressed in service provider contracts.
To learn about practices that can be used to mitigate risks in third-party relationships, financial institutions can refer to the Federal Financial Institution Examination Council IT Examination Handbook, Business Continuity Booklet, or the FDIC’s Guidance for Managing Third-Party Risk. Even if your financial institution is not supervised by the FDIC, it would be prudent to consider these same risks and adjust your contracts accordingly.
CLA’s financial institution regulatory compliance team assists banks and credit unions nationwide in establishing regulatory compliance programs, conducting compliance testing, and training staff on regulations. Justin Robinson is a member of CLA’s regulatory compliance team and can be reached at justin.robinson@CLAconnect.com.
Comments are closed.