Contracts with tech service providers often lack ‘sufficient detail,’ agency warns

Some financial institution contracts with technology service providers lack sufficient detail regarding the contract parties’ respective rights and responsibilities for business continuity and incident response, the federal insurer of bank deposits said Tuesday in a letter.

In its Financial Institution Letter (FIL) 19-2019, the Federal Deposit Insurance Corp. (FDIC) recent examinations it has conducted have noted the insufficient detail. “When contracts do not adequately address such risks, financial institutions remain responsible for assessing those risks and implementing appropriate mitigating controls,” the agency stated.

More specifically, the FDIC pointed out that banks, thrifts and other financial institutions have a responsibility under Section 7 of the Bank Service Company Act to notify their FDIC regional office of contracts or relationships with technology service providers that provide certain services to the institution.

The agency letter reminds banks and others that their boards of directors and senior management are responsible for managing risks related to relationships with technology service providers, and that effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response.

FDIC FIL-19-2019: Technology Service Provider Contracts