OCC Warns About Vendor Concentration, Foreign Subcontractors

WASHINGTON — Comptroller of the Currency Thomas Curry said his agency is increasingly concerned about the cybersecurity risks from banks relying too much on certain vendors and using service providers in foreign countries.

Banks can end up becoming dependent on certain vendors because of consolidation in the service provider industry, Curry said in his prepared remarks for the Consumer Electronics Show's Government Summit in Washington. They can also be exposed to risks when they assign critical functions to outside vendors, including those that use foreign-based subcontractors.

"Banks need to consider the legal and regulatory implications of where their data is stored or transmitted, and make a determination as to whether geographic limitations are needed in their contracts," Curry said. "Finally — and perhaps most importantly — we are concerned about the access third parties have to large amounts of sensitive bank or customer data."

His comments shine new light on the Office of the Comptroller of the Currency's thinking about two areas where it has devoted heightened attention recently: vendor risk and cybersecurity.

Last year, Curry helped establish a cybersecurity and critical infrastructure working group within the Federal Financial Institutions Examination Council, which is made up of all the federal bank regulators. In October, the OCC updated its guidance with groundbreaking risk management requirements for banks to oversee third-party relationships.

"We expect the board and management to ensure that appropriate risk management practices are in place, that clear accountability for day-to-day management of these relationships is established, and that independent reviews of these relationships will be conducted periodically," Curry said in his remarks Wednesday.

He fully acknowledged the importance of being able to hire vendors, particularly for smaller banks that don't have the resources to provide certain services in-house. However, he added that his agency would also directly supervise "critical service providers" when necessary. (Last year the agency took a disciplinary action against the banking software provider Jack Henry & Associates for failing to get a processing center damaged by Hurricane Sandy up and running in a timely manner.)

"While we won't go into every provider, we will examine service providers that support a large number of banks and that could, therefore, pose a systemic risk to the financial sector," Curry said. But "that does not alleviate a bank of its responsibility to understand and manage risks involved in their third-party relationships. Our supervision does not take the place of due diligence or ongoing monitoring commensurate with the level of risk and complexity of the arrangement."

Banks of all sizes need to start sharing information with one another and with government agencies to protect the system from cyber threats at large, Curry said.

"Effective information sharing … will enable the sharing of best practices, techniques and strategies, and collective responses to wide-scale events. It will also help banks focus resources on the most significant areas of concern," he said. "This is not a problem that can be addressed by one agency alone or by any one institution acting on its own. It is a threat that we can deal with only if we work together in a collegial and collaborative way for the good of our country."

For reprint and licensing requests for this article, click here.
Law and regulation Bank technology Community banking
MORE FROM AMERICAN BANKER