Banking and Finance Law Report : Banking & Finance Lawyer & Attorney : Porter Wright Morris & Arthur Law Firm : Bankruptcy, Commercial Lending

Financial institution executives with responsibility for the management of the technology of their financial institutions or their institution's relationship with technology service providers (TSPs) should become familiar with the updated guidance regarding supervision of TSPs by financial institutions that was issued on October 31, 2012 by various federal banking regulatory agencies.  The issuance updates material that is nearly ten years old.

The Federal Financial Institutions Examination Council (FFIEC) released a revised Supervision of Technology Service Providers booklet (TSP Booklet), part of the FFIEC Information Technology Examination Handboot (IT Handbook).  The FFIEC exists to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions.  The TSP Booklet describes federal financial institution regulatory agencies' statutory authority to supervise TSPs that contract with federally regulated financial institutions and provides guidance for these institutions and their examiners.  The TSP Booklet, which replaces and rescinds a March 2003 booklet, emphasizes that the ultimate responsibility for the conduct of third-party service providers and their compliance with applicable law and regulation lies with a financial institution's management and board of directors.

The TSP Booklet describes the federal Risk Based-Examination Priority Ranking Program (RB-EPRP) and the Uniform Rating System for Information Technology (URSIT) used in evaluating TSPs of financial institutions. The RB-EPRP utilizes a risk-based approach to determine the examination priority of TSPs, while the URSIT is used to consistently assess and rate IT-related risks of financial institutions and their TSPs.

Concurrently with the TSP Booklet, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency jointly released, Administrative Guidelines for the Implementation of the Interagency Program for the Supervision of Technology Service Providers (Guidelines), detailing the processes federal agencies follow to implement interagency supervisory programs and including reporting templates for examiners to use in their supervision. While the TSP Booklet provides useful guidance to financial institutions, the Guidelines are more tailored to agency managers and field examiners.

Financial institutions and TSPs must be cognizant of the risks, laws, regulations and agency guidance implicated in the outsourcing of technology services by financial institutions to third-party TSPs. Furthermore, financial institution technology outsourcing arrangements should be carefully set forth in written contracts and thoroughly reviewed by qualified legal counsel. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Financial institutions should apply the same risk management strategies and considerations to outsourced "cloud computing" activities as are required with more traditional forms of outsourcing, according to a statement issued July 10^th by the Federal Financial Institution Examination Counsel (FFIEC).

The FFIEC's statement explains that while there is no universal definition of "cloud computing," it generally involves a migration from owned resources to shared resources, through which a user can access and receive information technology services on demand from third-parties via the online "cloud." Cloud computing can be used to provide infrastructure, computing platforms, and software, and a cloud may be operated privately by one organization, as a community cloud shared by several organizations, as a public cloud available to any paying customer, or as a hybrid combination of two or more private, community or public clouds.

Although a financial institution's use of outsourced cloud computing can have many potential benefits, such as cost reduction, flexibility and speed, the FFIEC statement indicates that the fundamentals of risk and risk management defined in the FFIEC Information Technology Examination Handbook (IT Handbook), particularly the Outsourcing Technology Services Booklet (Outsourcing Booklet), are as applicable to cloud computing as to other forms of information technology outsourcing. The nature of a cloud computing environment can increase the complexity of issues a financial institution may face with regard to information security, legal and regulatory considerations, and business continuity of outsourced operations. Financial institutions should perform adequate due diligence reviews, practice good vendor management, and use audits to evaluate the adequacy of a cloud service provider's internal controls, as described in more detail in the IT Handbook and Outsourcing Booklet. Bankers should seek legal advice and review of outsourcing contracts and perform careful risk assessments before deciding to deploy a cloud computing model.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Bankers and other financial product and service providers should expect to provide their consumer customers with far greater access to information than ever before.

The financial reform law adopted last year, known as the Dodd-Frank Wall Street Reform and Consumer Protection Act, established a new financial regulatory agency known as the Consumer Financial Protection Bureau. Under Dodd-Frank, the CFPB has the authority to promulgate regulations governing the credit agency reporting practices of financial institutions, including community banks. Also, under Dodd-Frank, banks must make available to each consumer all information regarding a financial product or service such consumer has purchased, including transaction history, cost, and usage information. All of this must be made available in an electronic, usable format, which will be prescribed and overseen by the CFPB.

The CFPB will now have authority to promulgate rules related to privacy and data security under the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Right to Financial Privacy Act and the Financial Privacy Act. Under Dodd-Frank, the CFPB is authorized to promulgate rules "identifying as unlawful, unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service." The portion of CFPB authority focusing on abusive acts or practices is new in the consumer protection world—giving the CFPB broad authority to regulate in a completely undeveloped area of the law.

All these privacy and data security regulatory changes, some of them known and others forthcoming, will potentially mean large changes in the information storage and transmission practices of all financial institutions. Consider the following:

• Because consumers will be able to request far more information than ever before, all financial institutions must maintain integrated databases and networks to provide all requested information in a timely manner.
• Because the CFPB will require certain procedures for reporting to credit agencies, all financial institutions must analyze their current procedures to ensure prompt compliance with the forthcoming CFPB rules.
• Also, for both the above reasons, all financial Institutions should review their data storage practices to ensure the security and accuracy of all information they provide to consumers and to credit agencies.

In addition to the above, stay ahead of the curve by taking part in the rulemaking process. One last suggestion – contact your legal counsel for assistance in providing comments during the rulemaking process and for assistance with your compliance efforts regarding both Dodd-Frank and the final CFPB rules.

• Email This
• Print
• Comments
• Trackbacks
• Share Link