In my last post, I asked you to weigh in on what question you wanted me to address in this final post of the series. This one came from a bank that was in the process of actually filling out the questionnaire, and it’s a good one. It’s found in the Vendor Management section:
“Has the bank identified and reported its service provider relationships (both domestic and foreign-based) to the FDIC (Y/N)?”
At first glance, you may be tempted to interpret this as asking “Has the bank identified and reported its MAJOR or CRITICAL service provider relationships…?”, but the question does not seem to limit your reporting requirement to a particular class or size of service provider. So are you really obligated to report ALL vendor relationships, from your core provider to your cleaning crew? Taken a face value it would certainly seem so.
To figure out exactly what is required you have to look at the 2 references listed under the question:
- “Notification of Performance of Bank Services” FDIC Rules and Regulations 304.3, and
- 12USC1867 Section 7(c)(2) Bank Service Company Act (BCSA)
In researching this, it appeared at first that it only applied to Banks that owned more than 1% of a bank service provider. But upon further review (sorry, it’s football season), Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party “shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first.” So again, this looks like ALL vendor relationships need to be reported.
However, in a recent interview at bankinfosecurity.com with Donald Saxinger (senior examination specialist with the FDIC), this exact issue was addressed in the context of reporting social media vendors. Simply put, his response was that only if the vendor provides “banking functions” does it need to be reported to the regulators. Banking functions are defined in Section 3 of the Bank Service Company Act as:
- check and deposit sorting and posting,
- computation and posting of interest and other credits and charges,
- preparation and mailing of checks, statements, notices, and similar items, and
- any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution
Using this list as a reference, only core vendors, item processors and outsourced accounting firms fall into these categories. (Whether or not IT vendors fall into this category will be addressed in a future post. Mr Saxinger makes the point that IT vendors are one of the dependency layers that supports the business process, and as such MAY fall into one of the categories above, depending on the outcome of your risk assessment.) To be safe, since there is no penalty for over reporting, it’s best to report all vendor relationships that even come close to fitting the definition of a bank service company.
So the correct answer is “Yes, we report all of our service provider relationships that provide banking functions to us, as well as any vendors providing a critical dependency to those service providers, as determined by our risk assessment.” Of course, make sure that you do report them. The FDIC form is here, other regulators may have their own reporting mechanism.