FDIC on Improving Vendor Management
Cloud, Mobile Banking Models Need Extra ScrutinyDuring an exclusive two-part interview with Information Security Media Group, Donald Saxinger, senior examination specialist with the Federal Deposit Insurance Corp., says banking regulators are relying on existing guidance when they conduct examinations to review vendor management programs. But they also are more closely monitoring service level agreements and contracts that touch relationships with third-party vendors in emerging technology areas such as cloud computing, mobile banking and mobile payments.
"You need to have a proven methodology for tracking and reporting on all of these relationships," Saxinger says. "The cloud has gotten pretty complicated, when it comes to tracking where your data actually is. With cloud computing, we're still in the learning phase. There are so many cloud computing providers out there, it's hard to lock down standards."
Pointing to vendor management guidance issued in June 2004, "Outsourcing Technology Services," Saxinger says financial institutions can still glean valuable insight into what regulators expect, what benchmarks vendors should set and what banks themselves should be doing internally to ensure they sufficiently assess risks and ensure due diligence in their contracts with third parties.
"Examiners use the booklet to conduct exams, banks use it for self assessment and vendors or providers use it to ensure they are complying with what the regulators want," he says. "It covers the basic areas we think financial institutions should address or cover in their service agreements," he says. "It takes a risk management approach."
But Saxinger also suggests banking regulators will look beyond existing guidance, since emerging technologies, especially in the mobile arena, are not specifically addressed.
Emerging Tech and Unknown Risks
"Mobile has some specific challenges because it's so new," Saxinger says. "So, do you manage that as a vendor? If you're going into that, into mobile, you have to deal with more players than just the core provider. It becomes a lot more complicated for a financial institution to understand the security."Agreements and contracts with cloud providers and mobile payments vendors are not likely to include the same protections included in the traditional core-processor agreements banks have grown accustomed to, Saxinger says. "In mobile banking, application security is a concern. There's a question of trust: Who's developing these applications?" he says. " There's not always a lot of vetting of these vendors, especially in an indirect banking model."
New Views on Mobile, Cloud
Saxinger's view in 2011 has evolved from the view he shared in October 2010, when he said emerging technology should be viewed in light of existing mandates and regulatory guidance. [See FDIC on Vendor Management.] Then, Saxinger said existing guidance provided adequate guidelines for vendor management, even when it touched emerging fields like mobile and social networking. "We get questions on cloud computing, social media or mobile banking," he said. "Our response is, 'Well, what does the existing vendor management guidance say? If you can fit it within that, then you can use that technology or service, and just follow the existing guidance.'"Regulators still must look to existing guidance, but Saxinger now suggests regulators are broadening their perspective about emerging technologies, and they're honing their assessments on unknown risks. Privacy is a concern, he says, one that veils not only mobile banking and payments, but the cloud as well. "The same technology that can be used to improve security is also a security risk," Saxinger says.