Background

In a recent interview with BankInfoSecurity, Jeff Kopchik of the FDIC made clear the expectations for banks re: third-party service providers and compliance with the new FFIEC Authentication Guidance.

"The agencies have said many times - and authentication is no different - that it's the financial institution that's ultimately responsible for bringing itself into conformance with the guidance," says Kopchik, one of the principal authors of the guidance. "The buck stops at the financial institution's desk."

For several of the larger banking vendors, the federal regulators conduct their own examinations to ensure compliance. But for the majority of service providers, the responsibility is the banking institution's to ensure that products and services all align with regulatory expectations. This due diligence requires institutions to:

• Sit down with core vendors and ensure mutual understanding of the FFIEC Authentication Guidance;
• Gap analysis to determine which products/services do not currently bring the institution into conformance;
• Creation of a strategic plan with milestones to ensure conformance prior to 2012 regulatory exams.

But two challenges that institutions frequently encounter are:

• What are the specific questions I need to ask my vendors re: FFIEC Authentication Guidance?
• What information will my vendors not offer up unless I know to ask?

To assist you with this due diligence, Philip Alexander, an information security officer at a major U.S. financial institution, will share with you the vendor management tricks he's learned in years of overseeing such relationships for one of the nation's largest banking institutions.

In this exclusive two-part series, Alexander will tackle several key vendor management topics, including:

• Security reviews;
• Vendor's own regulatory compliance;
• Vendor's financial stability;
• Use of 4th-party service providers;
• Liabilities in the event of a breach.