Latest News

Service providers respond to new pressure from regulators 6/30 bankinfosecurity.com So, how do the third-party service providers respond to regulatory pressure on financial institutions to improve vendor management? The major banking regulatory agencies have sent a statement to the institutions they oversee: Do a better job of selecting, contracting with & managing your major vendors. But the pressure isn’t solely on banking institutions to improve their practices. The heat is turned up on the vendors themselves to anticipate their clients’ needs & to do a better job helping them respond to these higher levels of regulatory scrutiny. The larger service providers & larger institutions are ‘well aware of the vendor management tasks they need to perform,’ notes Ken Stasiak, SecureState. The real pressure, observers say, is on the smaller ‘mom & pop’ vendors. Financial institutions have been doing third-party risk assessments under the requirements of the Gramm Leach Bliley Act & as part of their regulatory examination. But with the focus, the costs associated with performing additional risk assessments are likely to be absorbed by the institutions & vendors alike - a heavy burden for the smaller players. Tom Wachtl, Fiserv, agrees that recent regulatory guidance affects the smaller vendors more than the top tier banking service providers. ‘We’ve been operating under those guidelines & expectations for many years.’ Fiserv is one of the service providers that is assessed directly by the federal examiners. Fiserv meets with bank examiners of FFIEC once per quarter to keep them updated on Fiserv activities. Metavante goes through the ‘very rigorous tests & audits,’ internally & by the FFIEC for vendor management. Dave Fortney, Metavante, says the firm regularly shares the results of these audits with its financial institution customers. Fidelity National Information Services (FIS) undergoes the FFIEC audits, according to Michael Weathers, Fidelity. ‘We don’t anticipate making any significant changes to our program. To ensure FIS is meeting our clients’ ongoing needs, we have established a semi-annual roundtable session with clients to review our governance, security, audit, business continuity & vendor programs.’ Last year, FIS was invited to present its client/vendor governance program to the FFIEC’s national examiner conference because it was ‘noted to be the gold standard within the industry.’ Analysts share the large service providers’ perspective on the vendor management landscape. ‘The increased scrutiny being placed upon third-party solution providers will likely impact the smaller players in the industry,’ says David Schneier, Icons Inc. Entities such as Fiserv are addressing many of the concerns inherent in the relationship between a financial institution & a vendor. ‘These firms are providing SAS 70s that are comprehensive & well-documented. Their contract language is specific to info security & data handling policies/procedures, & the contract language provides service level agreement touch points.’ The SAS 70 is a professional standard are set up for a service auditor to audit & assess internal controls of a third-party service provider. Recent regulatory guidance is clear that SAS 70 reviews alone do not suffice as evidence of an institution’s risk assessment program, but they are a foundation upon which stronger practices can be built Schneier cautions that a SAS 70 doesn’t necessarily provide assurances that the vendor is operating in a secure & properly managed environment. ‘It simply provides proof regarding what was tested. Upon closer inspection, some of these vendors may be found to have issues that were previously overlooked.’ The cost to become as robust as the larger vendors is a challenge for the smaller players in the market. ‘Providing such a strong compliance posture requires a significant investment. For the smaller vendors who haven’t had to address this or have only done so partially, this will present challenges in terms of financial & resources constraints.’ With the looming reality of real costs involved with generating the type of controls necessary going forward, ‘This could wind up being too great a burden to bear’ for vendors with a single offering or a small market share. Schneier sees smaller vendors who are doing things right, ‘but never had to provide proof, & now may be revealed as being more secure, more reliable & better business partners than their larger competitors.’ David Walter, Archer Technologies, a risk & compliance solutions vendor, says there has been ‘an explosion’ in the past 18 months on the management side on the controls that vendors place on data. He sees an increased cost burden on both institutions & service providers. Steve McCalmont, Avior Computing, says vendor risk has long been a major issue in the financial services industry. ‘It is now being put into reasonable perspective, & everyone is getting a better understanding of it,’ he observes. Regulators are pushing financial institutions to look at their overall risk as a whole, ‘not just one single vendor or one area of their institution.’ This leads to more questions being raised by institutions, & more vendors being assessed on how well they are handling risk within their own operations. McCalmont sees 2 ends of the vendor management spectrum: Using automated tools to benchmark an institution’s vendor management program; Institutions sending out excel spreadsheets, asking vendors to answer all the questions they have about the vendor’s risk & information security practices. ‘Sending an excel spreadsheet via email asking those types of questions is an information security flaw in itself.’ The BITS Shared Assessment program has developed a secure portal for industry vendors to submit their information to institutions - just because they did not want such sensitive information about their services being sent in a spreadsheet over email. For those institutions that can’t afford or aren’t mature enough yet to add automation internally, this portal offers them the ability to retrieve information in a secure manner from their vendors. BITS is a division of the Financial Services Roundtable, created by the CEOs of the 100 largest financial institutions in the US. The Financial Institution Shared Assessments Program developed by BITS is an exhaustive process that can prove taxing upon smaller institutions & vendors that lack sufficient resources dedicated to the process.