Oversight and Monitoring of Third Parties
Financial institutions that outsource e-banking technical support must provide sufficient oversight of service providers' activities to identify and control the resulting risks. The key to good oversight typically lies in effective MIS. However, for MIS to be effective the financial institution must first establish clear performance expectations. Wherever possible, these expectations should be clearly documented in the service contract or an addendum to the contract. Effective and timely MIS can alert the serviced institution to developing service, financial or security problems at the vendor - problems that might require execution of contingency plans supporting a change in vendor or in the existing service relationship.
The type and frequency of monitoring reports needed varies, depending on the complexity of the services provided and the division of responsibilities between the institution and its service provider(s). Service providers can build MIS capabilities into the administrative modules of their application, provide on-line reports, or they can provide periodic written reports. Some examples of items that might be tracked by e-banking monitoring reports are listed below:
E-banking service availability. Reports might include statistics regarding the frequency and duration of service disruptions, including the reasons for any service disruptions (maintenance, equipment/network problems, security incidents, etc.); "up time" and "down time" percentages for website and e-banking services; and volume and type of website access problems reported by e-banking customers.
Activity levels and service volumes. Reports might include number of accounts serviced, number and percentage of new, active, or inactive accounts; breakdown of intrabank transfers by number, dollar size, and account type; bill payment activity by number, average dollar, and recurring versus one-time payments; volume of associated ACH returns and rejects, fee breakdown by source and type; and activity on informational website usage by webpages viewed.
Performance efficiency. Reports might include average response times by time of day (including complaints about slow response); bill payment activity by check versus ACH; server capacity utilization; customer service contacts by type of inquiry and average time to resolution; and losses from errors, fraud, or repudiated items.
Security incidents. Reports might include volume of rejected log-on attempts, password resets, attempted and successful penetration attempts, number and type of trapped viruses or other malicious code, and any physical security breaches.
Vendor stability. Reports might include quarterly or annual financial reports, number of new or departing customers, changes in systems or equipment, and employee turnover statistics, including any changes in management positions.
Quality Assurance. Reports on performance, audit results, penetration tests, and vulnerability assessments, including servicer actions to address any identified deficiencies.
Contracts for Third-Party Services
Information Security Program