Client Alert: New FDIC Guidance on Technology Service Provider (TSP) Contracts
- Review your bank’s policies to ensure that relationships with Technology Service Providers (“TSP”) are sufficiently vetted by management and overseen by the board.
- Assess your bank’s existing TSP contracts to ensure compliance with current TSP and third-party vendor management guidelines.
- For all potential TSP contracts and renewals of existing contracts, negotiate robust protections for the bank, especially in connection with business continuity and data security.
FDIC FIL-19-2019 – Technology Service Provider Contracts
The FDIC recently issued FIL-19-2019 regarding Technology Service Provider Contracts, which can be found at: https://www.fdic.gov/news/news/financial/2019/fil19019.html. The letter addresses deficiencies FDIC examiners found in many TSP contracts that, among other things, insufficiently addressed business continuity risks and data breach/cyber security incidents. We have observed the FDIC (and other bank regulators) raise these issues in recent exams. The topic is especially timely and critical in light of the growth of FinTech relationships, which often contain a TSP element.
The principles enunciated by the FDIC in FIL-19-2019 involve both the contractual issues examiners identified and the necessity of proactive risk management. Even if the FDIC is not your bank’s primary federal regulator, these principles are indicative of the evolving expectations in this area.
The FDIC’s guidance focused on contractual inadequacies, including:
- Absence of a requirement for the vendor to maintain a business continuity plan (with established recovery standards and defined remedies if standards are not met);
- Lack of defined procedures if a service disruption or security incident occurs; and
- Vague and unclear terms outlining the bank’s rights and the service provider’s responsibilities in the event of a service disruption or security incident.
Proactive Risk Management
A bank’s directors and senior management retain primary responsibility for overseeing and managing the risks that accompany technology outsourcing relationships. Accordingly, whether a TSP relationship is new or has been in place for some time, Banks are encouraged to take the following measures:
- Ensure that TSP contracts adequately address business continuity and incident response risks;
- Assess gaps in existing agreements, including those arising from the absence of clearly defined terms or specific requirements concerning business continuity and incident response provisions, to avoid confusion in the future; and
- Implement compensating controls to mitigate any risks resulting from gaps in contractual continuity and incident response provisions.
TSP contracts are frequently offered to banks with little time to properly vet them from due diligence, regulatory, and legal standpoints. Don’t let that happen. Your bank needs to follow best practices in managing TSP relationships to ensure contractual protections and adequate risk oversight and compliance.
We Can Help You
Please contact us to review your bank’s current and potential TSP contracts and if you are considering a new TSP relationship, renewing an existing TSP contract, or if you want to discuss how to address an existing TSP relationship in light of the FDIC’s guidance.
We have addressed trends in this area in recent Client Alerts regarding TSPs, third-party vendor management, and FinTech relationships:
- Client Alert: FinTech Regulatory Update – Bank & FinTech Agreements
- Client Alert: Working with a FinTech? – 5 Things to Know
- Client Alert: Updated Regulatory Risk Management Guidance
- FinTech Opportunities for Your Bank: A Voyage Into New, But Not Uncharted Waters
- Client Alert Update: FinTech & Bank Partnerships