What do Social Media, Cloud Computing, Virtualization, Data Vaulting, Mobile Banking, and Core Services have in common? For most community financial institutions, all these products or technologies involve outsourcing, either wholly or in part.
When it comes to offering the latest products and services, outsourcing allows even the smallest institution to compete with the largest. And outsourcing makes sense, because it means that you don’t have to build and maintain the infrastructure yourself. As the FFIEC stated in their 2004 guidance “In many situations, outsourcing offers the institution a cost effective alternative to inhouse capabilities.” But the FFIEC also makes it clear that you are still responsible for the security of the data wherever it may reside. So given the increased reliance of financial institutions on outside vendors, and the regulators’ expectations, my third regulatory compliance trend for 2011 is:
This is based on the following criteria:
- A recent interview with the head of regulatory compliance with the FFIEC made it clear that new technologies like social media require overwhelming reliance on third parties.
- The FDIC changed Part 5 of their IT Examiners Questionnaire from GLBA to Vendor Management
- The largest recent data breaches were with third-party vendors (i.e. Heartland), not the financial institution itself.
- The Bank Service Company Act requires financial institutions to report all service provider relationships that directly support banking functions. IT vendors are one of the dependency layers that supports the business process, and as such MAY qualify as a direct support component. I addressed this here.
I had this as a trend for 2010, and I’m carrying it over for 2011 as well. I believe that there are some very compelling reasons why the regulators will (and should) increase scrutiny in this area as asset quality issues abate. In the meantime, don’t wait. Update your vendor management program now. Include an analysis in your vendor risk assessment to determine if the vendor should be considered “reportable” under the Bank Service Company Act.
And as you request their third-party reviews, bear in mind that the vendor management process will be a bit more challenging this year with the phase-out of the SAS 70 report. There is some speculation that the new SSAE 16 will become the functional replacement, but be prepared to review and interpret whatever report the vendor provides you.