Banks should improve tech vendor service contracts: FDIC
WASHINGTON — The Federal Deposit Insurance Corp. issued a letter to banks Tuesday warning them about gaps in their contracts with technology vendors.
Some technology service pacts are not "adequately" defining which party — the bank or the vendor — is responsible for managing risks, the agency said. The FDIC said contracts should spell out more clearly how each party will respond when there is an incident (such as a data breach or a systems failure).
“Some contracts do not require the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard,” the FDIC said in the letter to banks it supervises. “Other contracts did not sufficiently detail the technology service provider’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement.”
The letter comes at a time when more banks are partnering with fintech firms and regulators, including the FDIC, are grappling with where such firms fit within the financial system.
The FDIC reminded banks that a continuity plan is required by law and banks must report to the FDIC their contracts with technology providers.
The letter said examiners are finding that some contracts “do not clearly define key terms” regarding business continuity plans and incident responses.
“Undefined and unclear key contract terms could contribute to ambiguity in financial institution rights and service provider responsibilities, and could increase the risk that technology service provider business disruptions or security incidents will impair financial institution operations or compromise customer information,” the letter said.