Contracts for Third-Party Services
As with all outsourced financial services, institutions must have a formal contract with the TSP that clearly addresses the duties and responsibilities of the parties involved. In the past, some institutions have had informal security expectations for software vendors or Internet access providers that had never been committed to writing. This lack of clear responsibilities and consensus has lead to breakdowns in internal controls and allowed security incidents to occur. The IT Handbook's "Outsourcing Technology Services Booklet" lists detailed contract recommendations for TSPs. Institutions should tailor these recommendations to e-banking services as necessary. Specific examples of e-banking contract issues include:
- Restrictions on use of nonpublic customer information collected or stored by the TSP;Required in each of the Agencies' privacy regulations. The regulations are comparable to and consistent with one another. See 65 Federal Register 35,162 (June 1, 2000) (Board, FDIC, OCC, OTS); 65 Fed. Reg. 31740 (May 18, 2000) (NCUA); 12 CFR Parts 40 (OCC), 216 (Board), 332 (FDIC), and 573 (OTS), and 716 (NCUA).
- Requirements for appropriate controls to protect the security of customer information held by the TSP;Described in the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information" (guidelines). See 66 Federal Register 8616 (Feb. 1, 2001); 12 CFR Part 30, app. B (OCC); 12 CFR Part 208, app. D-2 and Part 225, app. F (Board); 12 CFR Part 364, app. B (FDIC); 12 CFR Part 570, app. B (OTS).
- Service-level standards such as website "up-time," hyperlink performance, customer service response times, etc.;
- Incident response plans, including notification responsibilities, to respond to website outage, defacement, unauthorized access, or malicious code;
- Business continuity plans for e-banking services including alternate processing lines, backup servers, emergency operating procedures, etc.;
- Performance of, and access to, vulnerability assessments, penetration tests, and financial and operations audits;Limitations on subcontracting of services, either domestically or internationally;
- Choice of law and jurisdiction for dispute resolution and access to information by the financial institution and its regulators; and
- For foreign-based vendors or service providers (i.e., country of residence is different from that of the institution), in addition to the above items, contract options triggered by increased risks due to adverse economic or political developments in the vendor's or service provider's home country.
Due Diligence for Outsourcing Solutions
Oversight and Monitoring of Third Parties