The FDIC Advisory Committee on Community Banking meeting in July 2013 included an extensive discussion of the responsibility of banks in ensuring their vendors consistently meet privacy and other information security regulations and requirements. ((Established in May 2009, the Advisory Committee on Community Banking discusses and provides input to the FDIC on a wide variety of topics, including current examination policies and procedures, credit and lending practices, deposit insurance assessments, insurance coverage and regulatory compliance.)) One of the greatest takeaways from these committee sessions is that while regulators examine financial services vendors that contract for core bank services or other third party services that are covered under the Bank Service Company Act, they are not allowed to make direct report of findings to the banks that contract with these vendors. ((The Bank Service Company Act of 1962 requires insured financial institutions to notify regulators of relationships with certain third party agencies. This notification helps alert the government to potential security violations and conflicts of interest.)) The Committee advised that bank’s need to do more due diligence to determine that their vendors are capable of meeting their compliance obligations adding additional auditing of their third party relationships.
The serious need for more effective due diligence is evidenced by the 2011 case of a hacker break in at Fidelity National Information Services (FIS). FIS reportedly found no red flags through its due diligence, but ultimately had a significant data breach. The recent (June 2013) disclosure that this breach was far more extensive than FIS had previously revealed “highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.” ((FDIC: 2011 FIS Breach Worse Than Reported. )) Given that FIS provides a range of services to more than 14,000 financial institutions in over 100 countries, the impact of this breach is quite significant.According to the Advisory Committee on Community Banking, financial institutions can be more effective and proactive ensuring vendors identify and address security gaps by becoming more thorough in their monitoring procedures by:
- 1. Requesting reports from their vendors on all audits and examinations on an ongoing basis
- 2. Carefully and regularly reviewing reports.
- 3. Ensuring that contract language covers all regulations and requirements that vendors must meet to allow institutions to remain in compliance at all times.
Well designed due diligence can help drive vendor compliance―demanding a high standard of accountability be maintained by all vendors encourages the industry to hold its members accountable. Up front investments in improving vendor monitoring will also result in companies being less likely to use a vendor that would later be costly to replace. Your organization can begin to accomplish both goals by:
- Establishing a company-wide culture of dedicated, forward thinking due diligence.
- Establishing a contracting process that includes automated audit request and reporting review.
- Training all employees on security and privacy issues and processes.
- Reinforcing training with ongoing awareness emails and other postings.
Dedicating the appropriate level of resources for vendor risk assessment becomes a wining proposition for financial institutions, vendors, and customers alike.
Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad