FDIC highlights common deficiencies in technology vendor contracts

Financial Services Regulatory Alert


On April 2, 2019 the Federal Deposit Insurance Corporation (FDIC) issued a Financial Institution Letter (FIL), which highlighted examiner-identified deficiencies pertaining to ambiguity of roles and rights in bank contracts with technology service providers (TSPs).

The FIL emphasized that some financial institution contracts with TSPs did not always adequately define rights and responsibilities regarding business continuity and incident response, thereby providing insufficient detail to allow financial institutions to manage those processes and risks. Key terms used in contractual provisions must be defined relating to business continuity and incident response.

Further, the FIL stated, some financial institution contracts did not require the TSPs to maintain a business continuity plan, establish recovery standards, or define contractual remedies when TSPs fail to meet those recovery standards. Some contracts also failed to sufficiently detail the TSP's security incident responsibilities, such as notifying the financial institution, regulators, or law enforcement.

These TSP requirements stem from the Interagency Guidelines Establishing Information Security Standards, promulgated pursuant to the Gramm-Leach-Bliley Act, which are incorporated into the FDIC's Rules and Regulations as Appendix B to Part 364. The Interagency Guidelines set federal expectations for managing TSP relationships and aim to safeguard customer information.

In the FIL, the FDIC reminds depository institutions that they must notify their respective federal banking agency, in writing, of contracts or relationships with TSPs that provide certain services under the Bank Service Company Act, such as check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical or similar functions, among them data processing, Internet banking and mobile banking services.

The FIL is likely an indicator that not only the FDIC but other regulators may be focusing intently on these matters during future examinations. To ensure full compliance with current TSP contract requirements, financial institutions may consider undertaking an audit of such contracts in advance of their next exam.

For further information or for assistance with reviewing the adequacy of current or proposed TSP contracts, please contact any of the authors.