In an interview with Don Saxinger at bankinfosecurity.com, the head of IT examiner oversight addresses vendor management. Here is my summary of that interview:
Do not look for the FDIC to change, or even update, guidance on vendor management. The FDIC feels that the current guidance is broad enough to address concerns over new technology such as cloud computing, mobile banking, social media, etc.
Regarding social media, you must evaluate the provider the same as any other service provider.
Regarding “what is a vendor?”, he referred to the Bank Service Company Act. This stipulates that if the vendor provides a “banking function” to the institution, that vendor relationship need to be reported to the regulators. “Banking functions” are defined as:
- Check and deposit sorting and posting
- Computation and posting of interest and other credits and charges
- Preparation and mailing of checks, statements, notices, and similar items
- Any other clerical, bookkeeping, accounting, statistical, or similar functions
IT is only one of the layers necessary to support a business process.
To insure proper vendor management, refer to the examination guidelines found in the back (usually Appendix A) of every FFIEC IT Examination Handbook. Specifically the Outsourcing and the Management handbooks.
Improper management of vendor risks can result in lower examination ratings.