On April 2nd, the Federal Deposit Insurance Corporation sent a letter to its covered financial institutions regarding the use of technology in compliance programs. Interestingly, some recent trends in utilizing tech platforms to manage risk were addressed, including:
- There is little transfer of risk to third-party vendors; you are responsible for your own controls, testing, and governance (responsibility and liability)
- It is important to document how your technology tools perform their functions (i.e. algorithms, data matching criteria, API specifications)
- Developing plans to continue operations during outages and downtime
- Enabling regulators to understand where technology supplements and enhances compliance functions, and how it nests with the strategic vision of the CCO
Financial institution boards of directors and senior management are responsible for managing risks related to relationships with technology service providers. Effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response. Recent FDIC examination findings noted that some financial institution contracts with technology service providers lack sufficient detail regarding the contract parties' respective rights and responsibilities for business continuity and incident response. When contracts do not adequately address such risks, financial institutions remain responsible for assessing those risks and implementing appropriate mitigating controls. Financial institutions have a responsibility under Section 7 of the Bank Service Company Act to notify their FDIC regional office of contracts or relationships with technology service providers that provide certain services to the institution.
