Exams or Audits

 View Only

  • 1.  Notification to regulators on critical third parties

    Posted 07-05-2022 06:25 PM

    We are currently undergoing an exam with the regulators and one of the questions that has come up is notification to regulators on new critical service providers.

    What guidance are all of you following and what new "critical providers" are you notifying to the regulators.  Which group within the organization is doing the notification to your respective regulatory body; is that InfoSec, Vendor Management, Compliance?

    Our TPRM program is a blend of guidance from OCC-2013-29 as well as third party guidance provided by FDIC and FFIEC.  So far the only guidance i see out there is Section 7 of the BSA program that FDIC directs to that highlights the type of services that requires depository institutions to notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services. 

    Curious to learn what you all are doing out there?

    Thanks 



  • 2.  RE: Notification to regulators on critical third parties

    Posted 07-06-2022 06:52 AM

    I have a couple of thoughts-

     

    First is that a critical vendor shouldn't be something that you're adding to the Vendor stable on a regular basis.

                    Critical is defined by your vendor policy, of course, but to borrow from my understanding, a critical vendor is broadly one that, if they were to disappear tomorrow, your institution would be unable to function.  That means critical vendors are Core Banking providers, if you are one that uses a vendor like Fiserv, for example.

     

    As far as who sends out the notices, I would pitch that to Compliance. InfoSec is not generally a public facing department, nor is Vendor Management.

                    Compliance may/should have the infrastructure to put together a general release, and a process to disseminate information in a manner consistent with the organization's messaging.

     

     

     

    Thanks,

          Dave

     

    David Howe, CCUFC

    Chief Information Officer

     

     

     

     






  • 3.  RE: Notification to regulators on critical third parties

    Posted 07-06-2022 09:14 AM
    Thanks David.  This is very helpful.

    I agree that reporting should be within compliance. This gives me some good information to take back to the team to discuss on streamlining our process internally.
    Original Message


  • 4.  RE: Notification to regulators on critical third parties

    This message was posted by a user wishing to remain anonymous
    Posted 07-06-2022 08:01 AM
    This message was posted by a user wishing to remain anonymous

    For FDIC guidance on the notification requirement in the Bank Secrecy Act see FIL-49-99


  • 5.  RE: Notification to regulators on critical third parties

    Posted 07-06-2022 08:41 AM
    Hi,  

    It is not the Bank Secrecy Act, it is the Bank Service Company Act they are referring to.  You can find the FIL herehttps://www.fdic.gov/news/financial-institution-letters/1999/fil9949.html 

    Basically what we do, is that at the end of our DD for Technical Service Providers (TSP) that deals with any significant amount of NPI, or interfaces with our Core, we send them a letter notifying them of our use of that service.  If you are unsure, ask them and they will advise you whether they need notifying or not.

    ------------------------------
    Douglas Frey
    SVP, Security & Risk Management
    Information Security Officer
    ------------------------------

    Original Message


  • 6.  RE: Notification to regulators on critical third parties

    Posted 07-06-2022 09:08 AM
    Yes, Bank Service Company Act!  Thank you, this is very helpful!
    Original Message


  • 7.  RE: Notification to regulators on critical third parties

    Posted 07-06-2022 09:08 AM

    Information Classification: ll General

    The relevant FDIC guidance (although it and the illustrative examples are now quite dated) is FIL-49-99 and it speaks to the Bank Service Company Act (BSCA - 12 U.S.C. 1867) NOT the BSA.  See www.fdic.gov/news/financial-institution-letters/1999/fil9949.html for more.

     

    There is not much 'sorting or mailing of checks' getting outsourced these days but the principle remains.  I find that may organizations have not formalized the notification requirements into their third-party risk programs.

     

    Lee Beachy

     




    Original Message