ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

Is Your Bank Reviewing Its Technology Contracts?

May 30, 2019
Reading Time: 4 mins read

By Brad Rustin and Samer Roshdy

Recent FDIC examinations have revealed major contractual deficiencies in several banks’ contracts with technology service providers, the agency said on April 2. Often, these contracts are the most significant relationships and the largest financial contracts for smaller regional and community banks. In addition, these technology vendors often serve as the main point of contact between a bank and its customers, so a well-drafted contract is critical for the reputation of the bank.

As a result, the FDIC issued a financial institutions letter to highlight gaps discovered in banks’ contracts with technology service providers. The FDIC’s main concern stems from the fact that several banks failed to contract for clear rights and responsibilities regarding business continuity and incident response. The FDIC specifically notes that contracts with technology service providers should:

  • Require the service provider to maintain a business continuity plan
  • Establish recovery standards
  • Define contractual remedies in the event that a technology service provider misses a recovery standard
  • Detail the technology service provider’s security incident responsibilities (such as to notify the bank, regulators, or law enforcement)
  • Define key terms relating to business continuity and incident response in order to avoid ambiguity in bank rights and service provider responsibilities

This is not a new initiative or focus of the FDIC or other financial regulators. In fact, the federal banking regulators, through the Federal Financial Institutions Examination Council, previously issued a Business Continuity Planning Booklet specifically dedicated to assisting financial institutions with the implementation and management of their business continuity processes.

The booklet, together with this latest FDIC letter, reaffirm the longstanding regulatory notion that a financial institution cannot discharge its responsibilities, which includes managing its business continuity and incident response processes, by outsourcing activities to third-party service providers. Thus, banks, as part of their due diligence and ongoing monitoring, must ensure that business continuity and incident response risks are adequately addressed in service provider contracts. Adding the contractual provisions noted above forces financial intuitions to identify and mitigate some of the inherent risks related to technology service provider contracts.

The FDIC letter also references prior sources of guidance that the industry may use to identify the regulatory expectations, including:

  • Interagency Guidelines Establishing Information Security Standards (promulgated pursuant to the Gramm-Leach-Bliley Act to establish standards for safeguarding customer information)
  • The FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008)
  • The FFIEC IT Outsourcing Technology Services Booklet
  • The FFIEC IT Information Security Booklet
  • The Technical Assistance Video on Outsourcing Technology Services (FIL-19-2016)
  • The Bank Technology Bulletin on Outsourcing (FIL-50-2001)
  • The Bank Service Company Act (FIL-49-99)

The FDIC’s letter serves as a reminder to the industry that federal banking regulators will continue to scrutinize relationships with technology service providers. Even with the increased compliance burdens noted above, the latest fintech wave within the industry has proved that financial institutions find it worthwhile to enter into partnerships with technology service providers. Banks participating in this fintech wave should, at a minimum, establish a first line of defense against regulatory scrutiny by including effective protections in their technology service provider contracts.

Business continuity and incident response checklist for banks

  1. Is business continuity and data incident response planning a part of your compliance management system, and are there clear policies for compliance with these obligations?
  2. Do business continuity and data incident response matters constitute a portion of your bank’s risk assessments?
  3. Are qualified and knowledgeable individuals assigned to oversee the bank’s business continuity and data incident response programs?
  4. Has the bank discussed with its insurance provider its coverage for claims relating to data breaches occurring with one of the bank’s vendors?
  5. Are procedures in place for
    • Updating business continuity and data breach plans?
    • Conducting diligence on third-party vendors regarding business continuity and data breach response?
    • Evaluating the risks posed by third-party vendor relationships to the bank, including a determination of appropriate financial penalties to the vendor, indemnification obligations and/or insurance requirements?
    • Conducting a business impact analysis, or BIA, for each vendor relationship, including an analysis of mechanisms to back up data for business continuity in the event of failure?
    • Developing a business resumption or fail-over mechanism for services provided through third-party vendors?
    • Including business continuity and data breach obligations in third-party vendor contracts?
    • Periodically testing, reviewing or auditing third-party vendors for compliance?
    • Documenting the four steps of the vendor management process: (1) assessments of needs and risks, (2) diligence, (3) contracting structuring and review and (4) oversight?
  6. Has the bank developed clear minimum business continuity planning standards for its vendors and minimum data security standards for different classes of vendors? As part of this, has the bank developed minimum testing or third-party audit standards for vendors that it deems higher risk?
  7. Does the bank have a data breach incident response plan, developed in cooperation with its insurers and attorneys to satisfy customer notice obligations, remediation obligations (short- and long-term), and investigation requirements and root cause analysis?

Brad Rustin and Samer Roshdy are attorneys in Nelson Mullins’ Greenville, S.C., and Atlanta offices, where they advise financial services companies on a wide range of regulatory, risk management and compliance issues.

ADVERTISEMENT
Tags: Core processingFintechThird-party riskVendor relations
ShareTweetPin

Related Posts

The ever-expanding role of chief risk officer

The ever-expanding role of chief risk officer

Human Resources
July 7, 2025

'A new era has emerged in which CROs faced greater nonfinancial risk amid pressure to boost the bottom line.'

Using Artificial Intelligence to Make Sense of Mountains of Data

Three myths about AI in banking

Technology
July 3, 2025

Common myths and misperceptions might confuse about what to expect and misdirect investment and efforts.

Banking forward: What is top of mind for 2025? 

ABA survey: Most banks likely to stick with current core provider

Newsbytes
July 2, 2025

While 69% of bankers are "extremely" or "somewhat likely" to remain with their current core provider at the next renewal, when they do pursue core conversions, the primary reason is poor customer service, according to ABA's survey results.

OCC releases Q3 bank trading revenue report

OCC report: Banking system sound, key risks highlighted

Compliance and Risk
June 30, 2025

The strength of the federal banking system remains sound, the OCC reported in its most recent semiannual risk perspective report. The report covers risks facing national banks, federal savings associations, and federal branches and agencies based on data...

2025 bank marketing trends

ABA Viewpoint: Toward a smarter framework for bank asset thresholds

Compliance and Risk
June 30, 2025

Indexing regulatory thresholds for growth makes sense. Here’s how to do it most effectively.

Fighting fraud on the frontline

Fighting fraud on the frontline

Compliance and Risk
June 30, 2025

Customer inquiries and complaints are important tools for detecting scams, but structural barriers in the bank may prevent them from being fully utilized.

NEWSBYTES

Texas Bankers Foundation creates donations page in aid of Texas flood victims

July 7, 2025

OCC allows Texas banks affected by flooding to close

July 7, 2025

U.S. Bank survey: Small-business owners focus on succession planning

July 6, 2025

SPONSORED CONTENT

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

July 1, 2025
AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025

PODCASTS

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025

Podcast: Staying close to clients amid tariff-driven volatility

June 18, 2025

Podcast: Old National’s Jim Ryan on the things that really matter

June 12, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.