FDIC Reports on Risks for Financial Institutions Contracting with Technology Service Providers
Commentary by Scott Cammarn
On April 2, 2019, the FDIC reported on the risks for financial institutions that contract with technology service providers.
Financial institution boards of directors and senior management are responsible for overseeing risks with respect to relationships with technology service providers. The FDIC highlighted that recent examinations found that certain contracts with technology service providers lacked adequate detail relating to the contract parties' "rights and responsibilities" for "business continuity and incident response." The FDIC stated that financial institutions "remain responsible for assessing those risks and implementing appropriate mitigating controls."
Commentary
"No man is an island entire of itself, every man is a piece of the continent, part of the main." - John Donne. The meditation concludes "And therefore never send to know for whom the bell tolls; it tolls for thee."
Without defiling the concept of the poet overmuch, the same concept applies to technology. It's all interwoven and interdependent. Banks and regulated financial institutions are dependent on software provided by third parties. If that third party software goes down, the regulated financial institutions will feel the pain. And there's no getting around this interdependence issue. No firm can be self-contained in its technology.
This interdependence has significant ramifications for the potential direction of financial regulation. Regulated entities are increasingly dependent upon, and interdependent on, technology provided by unregulated third-party technology firms. Will Congress and the financial regulators be content with market forces as the best means to pressure these technology firms to provide the most resilient services or will they opt for more direct oversight? See also House Financial Services Task Force Considers Regulation of Cloud Service Providers.
Commentary
Financial institutions rely on outsourcing to third parties' technologies for the performance of material operations. It is incumbent upon financial institutions to not only assure that the contracts are sufficient at signing, but also that there are procedures in place that allow the institutions to regularly monitor contract performance and the stability of service providers. That would enable institutions to continue in operation in the event of a failure of service providers, whether under contract or generally.