FDIC Alerts Industry of Vendor Contract Gaps
On April 2, 2019, the Federal Deposit Insurance Corporation (FDIC) provided notice to all FDIC-supervised institutions that examiners have observed certain deficiencies in banks' contracts with technology service providers and that such observations are being noted in reports of examination.1 All depository institutions, whether subject to examination by the FDIC or another regulator, should use this notice as an opportunity to review their relationships with technology service providers and ensure vendor contracts meet regulatory expectations.
What are the FDIC's observations?
The FDIC's financial institution letter states that examiners have observed the following deficiencies in contracts between banks and technology service providers:
- Inadequate definition of rights and responsibilities regarding business continuity and incident response;
- Insufficient detail to allow banks to manage business continuity and incident response;
- No requirement for the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard;
- Insufficient detail relating to the technology service provider's security incident responsibilities (e.g., notification requirements); and
- Unclear definitions of key contract terms, which could contribute to ambiguity in the rights and responsibilities of the parties.
What does this mean for your bank?
Ensuring that the bank's contracts with its third-party vendors adequately address business continuity and incident response risks, as well as other regulatory expectations communicated through numerous agency publications and regulations, could save the bank from criticisms in its next examination and enhance the resiliency and safety and soundness of the institution. The FDIC's financial institution letter serves as an important reminder for banks to review such contracts, with a particular focus on higher-risk relationships, such as core software providers or relationships that are governed by long-term contracts or contracts subject to automatic renewal.
The FDIC also reminds banks of their statutory obligation to provide written notification to their regulator of certain service relationships within 30 days of entering into the contract or from the performance of the service. Notification is required for any relationship relating to permissible bank service company activities (e.g., check and deposit sorting and posting, computation and posting of interest, bookkeeping, accounting, mobile banking services). To assist banks in complying with the notice requirements, the FDIC developed FDIC Form 6120/06, Notification of Performance of Bank Services.
* * *
Banks interested in assistance reviewing the adequacy of their existing contracts, negotiating new vendor contracts, or identifying which vendor relationships require notification to their regulators are encouraged to contact any of the authors listed below or your Arnold & Porter contact.
© Arnold & Porter Kaye Scholer LLP 2019 All Rights Reserved. This advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.