February 17 by Patrick Wolf

Business vendor contracts

Excerpts from a staff article in the ABA Banking Journal

Few banks’ contracts with technology service providers (TSPs) provide sufficient detail about the providers’ business continuity and incident response capabilities and duties, according to a report issued today by the FDIC’s independent inspector general. The report also found shortfalls in banks’ assessments of how providers could affect the banks’ own ability to plan for business continuity and incident response.

In response, the FDIC said it would work with other Federal Financial Institution Examination Council agencies to update guidance on business continuity planning and incident response and that it would continue examinations and off-site monitoring of vendor management. Anecdotal reports from banks indicate that examiners are increasingly focusing on technology provider risk management. The report expressed concern that some banks “may not be sufficiently knowledgeable about or engaged in contract management” and would thus “attempt to transfer their inherent responsibility for [bank] continuity and information security to TSPs,” which the IG said will require examiners’ continued focus.

The report, issued after a review of 48 technology vendor contracts, found that nearly half included no discussion of business continuity. Forty-two percent included a “detailed” discussion, and 10 percent included only a “high-level” discussion. “Contract provisions that more specifically detail key business continuity issues could provide [banks] greater assurance that critical systems, services, and operations will be recovered and resumed timely and effectively when operations have been unexpectedly disrupted,” the report found.

Read the full article in the ABA Banking Journal.

Learn more about Contract Management, with the Ultimate Guide to Contract Management.

Trending Blogs