FDIC on Improving Vendor Management

Cloud, Mobile Banking Models Need Extra Scrutiny
FDIC on Improving Vendor Management
As banking institutions prepare for the passage of supplemental online authentication guidance from the Federal Financial Institutions Examination Council, one FFIEC member agency says banks now need to focus more attention on vendor management.

During an exclusive two-part interview with Information Security Media Group, Donald Saxinger, senior examination specialist with the Federal Deposit Insurance Corp., says banking regulators are relying on existing guidance when they conduct examinations to review vendor management programs. But they also are more closely monitoring service level agreements and contracts that touch relationships with third-party vendors in emerging technology areas such as cloud computing, mobile banking and mobile payments.

"You need to have a proven methodology for tracking and reporting on all of these relationships," Saxinger says. "The cloud has gotten pretty complicated, when it comes to tracking where your data actually is. With cloud computing, we're still in the learning phase. There are so many cloud computing providers out there, it's hard to lock down standards."

Pointing to vendor management guidance issued in June 2004, "Outsourcing Technology Services," Saxinger says financial institutions can still glean valuable insight into what regulators expect, what benchmarks vendors should set and what banks themselves should be doing internally to ensure they sufficiently assess risks and ensure due diligence in their contracts with third parties.

"Examiners use the booklet to conduct exams, banks use it for self assessment and vendors or providers use it to ensure they are complying with what the regulators want," he says. "It covers the basic areas we think financial institutions should address or cover in their service agreements," he says. "It takes a risk management approach."

But Saxinger also suggests banking regulators will look beyond existing guidance, since emerging technologies, especially in the mobile arena, are not specifically addressed.

Emerging Tech and Unknown Risks

"Mobile has some specific challenges because it's so new," Saxinger says. "So, do you manage that as a vendor? If you're going into that, into mobile, you have to deal with more players than just the core provider. It becomes a lot more complicated for a financial institution to understand the security."

Agreements and contracts with cloud providers and mobile payments vendors are not likely to include the same protections included in the traditional core-processor agreements banks have grown accustomed to, Saxinger says. "In mobile banking, application security is a concern. There's a question of trust: Who's developing these applications?" he says. " There's not always a lot of vetting of these vendors, especially in an indirect banking model."

New Views on Mobile, Cloud

Saxinger's view in 2011 has evolved from the view he shared in October 2010, when he said emerging technology should be viewed in light of existing mandates and regulatory guidance. [See FDIC on Vendor Management.] Then, Saxinger said existing guidance provided adequate guidelines for vendor management, even when it touched emerging fields like mobile and social networking. "We get questions on cloud computing, social media or mobile banking," he said. "Our response is, 'Well, what does the existing vendor management guidance say? If you can fit it within that, then you can use that technology or service, and just follow the existing guidance.'"

Regulators still must look to existing guidance, but Saxinger now suggests regulators are broadening their perspective about emerging technologies, and they're honing their assessments on unknown risks. Privacy is a concern, he says, one that veils not only mobile banking and payments, but the cloud as well. "The same technology that can be used to improve security is also a security risk," Saxinger says.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.