Ask the Guru: Vendor vs. Service Provider


Ask the Guru: Vendor vs. Service Provider

Hey Guru
I recently had an FDIC examiner tell me that we needed to make a better distinction between a vendor and a service provider.  His point seemed to be that by lumping them together in our vendor management program we were “over-analyzing” them.  He suggested that we should be focused instead only on those few key providers that pose the greatest risk of identity theft.  Our approach has always been to assess each and every vendor.  Is this a new approach?


I don’t think so, although I think I know where the examiner is coming from on the vendor vs. service provider distinction.  First of all, let’s understand what is meant by a “service provider”.  The traditional definition of a service provider was one who provided services subject to the Bank Service Company Act (BSCA), which dates back to 1962.  As defined in Section 3 of the Act, these services include:

“…check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.”

But lately the definition has expanded way beyond the BSCA, and today almost anything you can outsource can conceivably be provided by a “service provider”.  In fact according to the FDIC, the products and services provided can vary widely:

“…core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers.”

Furthermore, in a 2010 interview with BankInfoSecurity, Don Saxinger (Team Lead – IT and Operations Risk at FDIC) said this regarding what constitutes a service provider:

“We are not always so sure ourselves, to be quite honest…but, in general, I would look at it from a banking function perspective. If this is a function of the bank, where somebody is performing some service for you that is a banking function or a decision-making function, including your operations and your technology and you have outsourced it, then yes, that would be a technology service that is (BSCA) reportable.”

Finally, the Federal Reserve defines a service provider as:

“… any party, whether affiliated or not, that is permitted access to a financial institution’s customer information through the provision of services directly to the institution.   For example, a processor that directly obtains, processes, stores, or transmits customer information on an institution’s behalf is its service provider.  Similarly, an attorney, accountant, or consultant who performs services for a financial institution and has access to customer information is a service provider for the institution.”

And in their Guidance on Managing Outsourcing Risk

“Service providers is broadly defined to include all entities that have entered into a contractural relationship with a financial insitiution to provide business functions or activities”

So access to customer information seems to be the common thread, not necessarily the services provided.  Clearly the regulators have an expanded view of a “service provider”, and so should you.  Keep doing what you’re doing.  Run all providers through the same risk-ranking formula, and go from there!

One last thought…don’t get confused by different terms.  According the the FDIC as far back as 2001, other terms synonymous with “service providers” include vendors, subcontractors, external service provider (ESPs) and outsourcers.

Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

2 comments

  1. I look at this by defining vendor first, then everything else is a service provider. A vendor is someone or some business that sells a commodity, such as paper, pens, copy machines, desks, etc. Another common attribute is that the bank can easily move to other vendors as there is often healthy competition with “vendors” and no agreements that bind the bank with a vendor contractually as is most often the case with a service provider.

    While logically there is usually little risk associated with vendors, this does not mean all vendors pose little risk and therefor no risk assessment should be done. I think very little time is needed to assess the risk with vendors in order to have an accurate assessment. Maybe what the examiner is getting at has less to do with the resources devoted to risk assessment, but resources devoted to mitigating strategies. I have seen some instances where a bank will try to develop a plan to mitigate risk even when the risk is very small as is usually the case with a vendor. In the past, some examiners would make recommendations on anything on a check list, but more recently my experience has shown the examiners are more aware of the reality of a bank’s limited resources and recommend focusing on those areas posing the highest risk, and prioritizing risks and the subsequent mitigating strategies.

    1. Thanks for the comment Garry. I like your approach to the vendor vs. service provider question, and agree that ultimately the main concern should be focusing on the risk. More inherent risk should equal more controls…and more resources allocated to mitigation. But what I’m seeing now with the recent release of vendor management guidance from both the OCC and the Fed is a blurring of the traditional definition of a vendor and a service provider. There just doesn’t seem to be a distinction now, so ALL third-party relationships have to be risk-assessed. Granted, the vast majority will likely fall into the lowest risk category, but that doesn’t relive you from the obligation to assess them all. Vendor vs. service provider has become a distinction without a difference.

Write a Comment