Financial institution executives with responsibility for the management of the technology of their financial institutions or their institution’s relationship with technology service providers (TSPs) should become familiar with the updated guidance regarding supervision of TSPs by financial institutions that was issued on October 31, 2012 by various federal banking regulatory agencies. The issuance updates material that is nearly ten years old.
The Federal Financial Institutions Examination Council (FFIEC) released a revised Supervision of Technology Service Providers booklet (TSP Booklet), part of the FFIEC Information Technology Examination Handboot (IT Handbook). The FFIEC exists to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions. The TSP Booklet describes federal financial institution regulatory agencies’ statutory authority to supervise TSPs that contract with federally regulated financial institutions and provides guidance for these institutions and their examiners. The TSP Booklet, which replaces and rescinds a March 2003 booklet, emphasizes that the ultimate responsibility for the conduct of third-party service providers and their compliance with applicable law and regulation lies with a financial institution’s management and board of directors.
The TSP Booklet describes the federal Risk Based-Examination Priority Ranking Program (RB-EPRP) and the Uniform Rating System for Information Technology (URSIT) used in evaluating TSPs of financial institutions. The RB-EPRP utilizes a risk-based approach to determine the examination priority of TSPs, while the URSIT is used to consistently assess and rate IT-related risks of financial institutions and their TSPs.
Concurrently with the TSP Booklet, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance …
Continue Reading →
Financial institutions should apply the same risk management strategies and considerations to outsourced "cloud computing" activities as are required with more traditional forms of outsourcing, according to a statement issued July 10th by the Federal Financial Institution Examination Counsel (FFIEC).
The FFIEC’s statement explains that while there is no universal definition of "cloud computing," it generally involves a migration from owned resources to shared resources, through which a user can access and receive information technology services on demand from third-parties via the online "cloud." Cloud computing can be used to provide infrastructure, computing platforms, and software, and a cloud may be operated privately by one organization, as a community cloud shared by several organizations, as a public cloud available to any paying customer, or as a hybrid combination of two or more private, community or public clouds.
Although a financial institution’s use of outsourced cloud computing can have many potential benefits, such as cost reduction, flexibility and speed, the FFIEC statement indicates that the fundamentals of risk and risk management defined in the FFIEC Information Technology Examination Handbook (IT Handbook), particularly the Outsourcing Technology Services Booklet (Outsourcing Booklet), are as applicable to cloud computing as to other forms of information technology outsourcing. The nature of a cloud computing environment can increase the complexity of issues a financial institution may face with regard to information security, legal and regulatory considerations, and business continuity of outsourced operations. Financial institutions should perform adequate due diligence reviews, practice good vendor management, and use …
Continue Reading →
Bankers and other financial product and service providers should expect to provide their consumer customers with far greater access to information than ever before.
The financial reform law adopted last year, known as the Dodd-Frank Wall Street Reform and Consumer Protection Act, established a new financial regulatory agency known as the Consumer Financial Protection Bureau. Under Dodd-Frank, the CFPB has the authority to promulgate regulations governing the credit agency reporting practices of financial institutions, including community banks. Also, under Dodd-Frank, banks must make available to each consumer all information regarding a financial product or service such consumer has purchased, including transaction history, cost, and usage information. All of this must be made available in an electronic, usable format, which will be prescribed and overseen by the CFPB.
The CFPB will now have authority to promulgate rules related to privacy and data security under the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Right to Financial Privacy Act and the Financial Privacy Act. Under Dodd-Frank, the CFPB is authorized to promulgate rules “identifying as unlawful, unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service.” The portion of CFPB authority focusing on abusive acts or practices is new in the consumer protection world—giving the CFPB broad authority to regulate in a completely undeveloped area of the law.
All these privacy and data security regulatory changes, some of them known and others forthcoming, will potentially mean large changes in the …
Continue Reading →