Compliance Insight with David Schneier

Outing the Shortcomings in Outsourcing

With all due respect to the pugilist fan base still out there, the FDIC used a classic left-right combo this past week aimed squarely at the jaw of the third-party service provider community.

First Sheila C. Bair, the Chairman of the FDIC, touched on emerging guidance regarding third-party service providers in her report to the U.S. Senate last week, and then the FDIC issued the referenced guidance the next day. This follows on the heels of the OCC Bulletin (2008-16) which targets application security, including third-party service provider offerings.

Anyone else getting the feeling that things are about to change for the third-party vendor market place?

I still recall my first engagement in the small and mid-sized financial institution space. I was surprised by how much of the client's application portfolio was comprised of vendor products and services. It was different from much of what I'd known from my Fortune 500 experience. What surprised me all the moreso was how little scrutiny was placed on these vendors, how they conducted business (e.g. develop and test software, security controls, data accuracy etc.). As well, there was little in the way of service level agreement language in the contracts. And where there was, there was an absence of any formal monitoring. It seemed to me at that time that it was all about purchasing functionality at a certain price-point, and that was about the extent of the selection process. And I've found this to be true for most of the clients I've worked for in the time since.

But, again, all of this is about to change.

Having a well-designed, thorough and dynamic program to select and manage third-party vendors is now expected. It will be expected by the agencies that govern the banking and credit union industry; it will be expected by their examiners when they conduct their fieldwork; and it will be expected by the various entities that conduct audit and assessment work. It won't be just about having a SAS 70 or copies of the contract on file. Those days are gone forever. Going forward, financial institutions will need to actively monitor the key components of their agreements with vendors, they will need to know when goals are met, when they aren't, when key indicators governing the relationship change (e.g. if a vendor files for bankruptcy). Initially this will likely place a burden on the smaller institutions, but over time I suspect that contracts will evolve to the point where the vendors themselves become responsible for shouldering much of the load. Eventually they'll be sending out monthly, quarterly or semi-annual reports that will feed into my clients' tracking programs, and much of the work will become automated.

Regardless of how this plays out, this potential knock-out blow by the FDIC will result in real risk being managed more effectively by the very institutions to which we trust our money and credit data. This is work well worth doing.

About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.