CoNetrix

Blog: FDIC

On April 2, 2019, the Federal Deposit Insurance Corporation (FDIC) released a new financial institution letter (FIL-19-2019) called "Technology Service Provider Contracts."

Why was this guidance published?

When FIL-19-2019 was published, it had been five years, almost to the date, since the last vendor management guidance was released by the FDIC (see FIL-13-2014, published on April 7, 2014). Presumably, it was a good time for a reminder about vendor management expectations.

In addition, the guidance stated FDIC examination findings recently noted some financial instruction contracts with Technology Service Providers (TSP) lack of sufficient detail around business continuity and incident response. 

What does it mean when the guidance states "contracts do not adequately" address some risks?

In recent exams, the FDIC was looking for a few key areas to be covered in TSP contracts, but the contracts did not always meet those expectations. Missing items included:

  • A Business Continuity Plan (BCP): Contracts should require TSPs to have BCP and acceptable recovery standards.
  • Remedies: Contracts should include assurance of compensation if a business disruption occurs and the TSP fails to restore services in the established timeframe.
  • Notification Requirements: Contracts should define who the TSP should contact (e.g., the financial institution, regulators, law enforcement, etc.) and in what timeframe, if an incident occurs.
  • Key Terms: Contracts should define what constitutes a "business disruption" or an "incident," since rights and responsibilities could be debatable without clear definitions.

How can you ensure TSP contracts are "adequate?"

It would be beneficial for you to review your TSP contracts again with these items in mind, especially if they are long-term or automatically renewing contracts. If your existing contracts are not sufficient in these areas, it is important to note that the financial institution is still responsible for assessing and applying controls to mitigate the risk.

What controls can you apply to ensure you are covered?

In vendor management, your primary control is performing adequate oversight, which is something you should already be doing. The FDIC seems to recognize this since a significant percentage of the FIL recaps guidance that already exists.

For more specific recommendations though, if your contract with a TSP does not clearly define business continuity and incident response requirements:

  • Request and Review Their BCP: Find out if your TSP actually has one and if they'd be willing to share it with you. You don't necessarily need their whole BCP; you just need to know that they have a plan and it is routinely tested.
  • Update Your BCP: If the TSP does not have a BCP or you find it inadequate, it is the financial institution's responsibility to compensate. Update your BCP to describe how you would continue to offer services to your customers or members if your TSP's services are unavailable.
  • Conduct More Frequent Reviews: Whatever the contract says, it is important to periodically confirm the TSP is holding up their end of the deal. You may want to assess this more often if the contract is weak in the areas of business continuity and incident response.
  • Renegotiate the Contract: Depending on the financial institution's risk tolerance, if the contract is deemed "inadequate," it may benefit the financial institution to consider renegotiation or an alternative TSP.

In Summary

Contracts with TSPs should address business continuity and incident response. The FDIC recommends financial institutions contractually require the TSP to have a BCP, as well as contractually define remedies, notification requirements, and key terms.

If existing TSP contracts do not stipulate these items, you should consider additional oversight options, such as requesting and reviewing their BCP documentation, updating your BCP, reviewing the TSP more frequently, or renegotiating the contract.

Does CoNetrix have anything that can help with this?

Absolutely. The Tandem Vendor Management software includes suggested significance questions, designed to help you determine if you need BCP documentation from your vendors. The module also includes a contract review template, designed with business continuity and incident response in mind. Learn more about Tandem Vendor Management.

Vendor Management, FDIC, Tandem, BCP,
 

Many people received a phishing e-mail with the Subject "FDIC has officially named your bank a failed bank" yesterday appearing to come from the FDIC.  The text from the fraudulent e-mail would appear something like:

You have received this message because you are a holder of a FDIC-insured bank account.
Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.

You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:
  • Visit FDIC website: (a fraudulent link was provided here)
  • Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage

It appears this is a new phishing attack where the intent is to attempt to collect personal or confidential inforamtion.  Recipients of this e-mail should be warned of its nature and encouranged NOT to follow any of the links from the e-mail.

Here is the link to the FDIC Consumer Alert published October 26, 2009 - http://www.fdic.gov/consumers/consumer/alerts/

IT Security Alerts, Security and Compliance, FDIC, Phishing, Security,
 

The FDIC Board of Directors just concluded their special meeting to discuss the Special Assessment Final Rule.  The FDIC Board elected to change the following:[more]

  1. Reduce the rate used to calculate the special assessment;
  2. Change the base used to calculate the special assessment;
  3. Cap the amount of the special assessment
  4. Reduce the rate used to calculate any additional special assessment or assessments that become necessary;
  5. Change the base used to calculate any additional special assessments or assessments that become necessary;
  6. Cap the amount of any such additional special assessment; and,
  7. Terminate authority to impose any additional special assessment under this Final Rule on January 1, 2010.

This reduce the initial proposed assessment of 20 points (.20/per $100 of insured domestic deposits) to .05bp of total assets minus capital.  This change is substantial for community banks, since now the majority of the recapitalization will be placed on larger regional and national megabanks.

To read the final rule, visit http://www.fdic.gov/news/board/May22no2.pdf

Financial Institutions, FDIC, Regulation, Banks, Special Assessment,
 

The FBI, the U.S. Postal Inspection Service, and state and local authorities are investigating more than 60 threatening letters that have been received by Financial Institutions in Araizona, Caliofornia, Colorado, Georgia, Illinois, New Jersey, New York, Ohio, Oklahoma, Texas, Virginia, and Washington, D.C.  The letters began to be received on Monday, Oct. 20, 2008, and appear to all be originating from Texas - all have been postmarked in Amarillo, TX.  Most of these letters contain a powder substance with a threatening communication.  At this point, field and laboratory tests on the powder have been negative; however, additional testing is taking place.

To see a copy of one of the letters, visit http://www.fbi.gov/page2/oct08/threatletters_102308.html

 

Financial Institutions, Security and Compliance, Bank, Financial Institution, FDIC, FBI, US Postal Service, Threatening Letter, Threatening Communication,
 

The FDIC has issued the attached examination procedures on identity theft red flags, address discrepancies, and change of address requests.

FDIC Red Flag Examination Procedures.pdf (61.17 kb)

OCC Red Flag Examination Procedures.pdf (288.41 kb)

Federal Reserve Red Flag Examination Procedures.pdf (270.51 kb)

Identity Theft Red Flag Exam, FDIC, Address Discrepancies, Change of Address Requests, Workprogram, OCC, Federal Reserve, Identity Theft, Exam Procedures, Red Flag,
 

The following Special Alert was released by the FDIC concerning e-mails being sent that claim to be from the FDIC.  These e-mails are attempting to trick recipients into installing unknown software on personal computers. The subject line of the messages is: "Funds wired into your account are stolen." Here is a copy of the FDIC's Special Alert: [more]

The FDIC is aware of e-mails appearing to be sent from the FDIC that ask recipients to open and review an attached file. Currently, the subject line of the e-mail states: "Funds wired into your account are stolen." The e-mail is fraudulent and was not sent by the FDIC.

The fraudulent e-mail tells the recipient that proceeds from identity theft crimes have been wire-transferred into their bank account. The e-mail then directs the recipient to open and review an attached copy of their bank account statement and to contact their bank account managers.

The attached file is actually an executable file containing malicious code or software. Recipients should consider the attached file as a malicious attempt to collect online banking credentials or other personal and confidential information that could be used to gain unauthorized access to on-line banking services or perpetrate identity theft and other criminal activities.

Recipients of the fraudulent e-mail should not reply and should not attempt to open the attached file. According to reports received by the FDIC, many antivirus software programs have been detecting and removing the malicious attachment before the e-mail is delivered. However, if a recipient does open the attachment, the FDIC recommends updating anti-virus software patches and performing a complete scan of the computer and network, if applicable. If a computer becomes infected and the user encounters difficulties removing the malicious code, users should contact their anti-virus software vendor. The FDIC highly recommends using anti-virus software.

For additional information about safe online banking and avoiding online scams, visit http://www.fdic.gov/consumers/consumer/guard/.

For your reference, FDIC Special Alerts may be accessed from the FDIC's Web site at www.fdic.gov/news/news/SpecialAlert/2008/index.html.

Financial Institutions, Security and Compliance, SPAM, FDIC,
 

The Dallas Region of the FDIC conducted a conference call today (October 8, 2008) entitled "ID Theft Responsibilities - FACTA Red Flag Guidance."  The call consisted of a presentation including an overview of the regulation and guidelines, exam procedures, and what examiners will be looking for, followed by a question and answer session.  The FDIC presenters were:

  • James Brignac, Regional Office IT Examination Specialist - Risk Management
  • Jeff Kopchik, Technology Supervision Branch Senior Policy Analyst

The call was not recorded, but attached you will find a copy of the PowerPoint slides used during the call in Adobe pdf format.

FACTA ID Theft presentation.pdf (165.52 kb)

Financial Institutions, Security and Compliance, FDIC, Identity Theft Prevention Program, Red Flag,