One of the biggest risk trends for banks to watch in coming years will be risks arising from the outsourcing of information technology. Banking supervisors as well as the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission have all brought enforcement actions related to vendor management. When relationships with IT vendors are not properly managed, costly litigation with the vendors themselves can also result.
Recently, the FDIC released a 45-minute video designed to assist community bank directors and senior management in developing a vendor management program when outsourcing technology services. Among the topics covered in the video are:
- Risk assessment
- Due diligence
- Negotiating the written contract
- Monitoring
Particularly important for managing enforcement action and private litigation risk are the provisions that should be included in the written contract with the vendor. Key provisions sometimes overlooked are requirements related to government regulation (including CFPB regulations), such as requirements for specific internal controls, audits, and for adherence to all regulatory guidance applicable to banks, even if not directly applicable to the vendor.
Focusing directly on litigation risks, the FDIC video also notes that banks should negotiate provisions on termination, indemnification, and dispute resolution. Banks are also required to notify their primary federal regulator of the outsourcing relationship within: (a) 30 days of entering into the contract, or (b) performance of the service, whichever occurs earlier.
The FDIC’s video can be viewed below.