Three Steps to Comply with FIL-19-2019: Technology Service Provider Contracts

    May 1, 2019

    A guide to help Financial Institutions and Technology Service Providers achieve their business continuity objectives

    By John Beattie

    In April 2019, the FDIC released FIL-19-2019, a document providing financial institutions with guidance and compliance requirements for contracts with Technology Service Providers (TSPs), focused on business continuity and incident response. FDIC regulated Financial Institutions (FIs) and the TSPs they rely on to deliver mission critical services, must work together to meet these requirements to ensure business resilience. They each share the same goal of minimising risk but have very different objectives about how to accomplish it.

    As a TSP who provides business continuity consulting and technology services to many FIs and TSPs, Sungard Availability Services knows how to optimise business continuity, incident response, and third-party risk for FIs and TSPs. It’s what we do.

    Below are three key steps to ensure that FIs and TSPs meet the requirements under the FDIC’s Business Continuity Planning booklet:

    1. Collaborate on a Common Set of Objectives: Each party wants to minimise their risk, but there are individual and common objectives:
      • FIs need to understand the risks being passed on to them from the third-party so they can properly manage them internally.
      • TSPs need to understand the risks of their internal capabilities and the extent to which they are comfortable committing to managing them in a contract.
      • Both parties have an interest in establishing a mutually agreeable deal and contract.
    1. Identify Next Steps and Act: It’s not enough just to recognise what you need to do – it’s critical to set a plan in place and take action. Below are some good practices that should be in place by FIs and TSPs to meet FDIC rules and regulations:

    Two Parties with a Common Goal

    Minimise Risks | Set Expectations | Comply with Rule & Regulations

    Financial Institutions

    For your business continuity and incident response control expectations:

    • Ask the relationship-relevant control questions that need to be asked during due diligence and contract negotiation.
    • Define the response and internal action options for each question – what you will do based on a TSP’s response to your control questions.
    • Craft contract language that enforces your preferred position on the controls you care most about.
    Technology Service Providers

    For your business continuity and incident response control capabilities:

    • Identify needed improvements to your programs, processes, and capabilities with the goal of assuring they can withstand customer scrutiny.
    • Prepare easy to read collateral and references to simplify customer verification.
    • Collaborate with your contracts department to develop language for ongoing monitoring of your customer commitments.
    1. Monitor and Assess Completed Actions with a focus on Continuous Improvement: Remaining diligent in managing organisational resilience is critical for both FIs and TSPs. There needs to be a continuous feedback mechanism in place focused on business resilience, not just adhering to the terms and condition of a contract. Specific guidance for each party includes:
      • Financial Institutions: Need to make sure they are performing adequate due diligence in addition to negotiating contractual terms, service levels and ongoing commitments. They need to trust the vendor relationship but also have a set of verifiable controls in place to monitor and measure TSP performance.
      • Technology Service Providers: Need to have confidence in the effectiveness of their business continuity and incident response programs, processes, and capabilities before making contractual commitments to their FI customers. They need to agree to provide verifiable evidence that their programs remain viable and treat the FIs they serve as true program stakeholders.

    About the Author: John Beattie is a Principal in Sungard Availability Services’ Business Advisory practice. His consulting focus is on Business Continuity, Third-party Risk Management, and IT Service Risk Management. He has worked with both FIs and TSPs on their business continuity and incident response capabilities and inter-relationships.

    Other Posts You Might Be Interested In

    55% of consumers switched providers due to tech complications during COVID-19

    Consumers’ dependence on digital services has been on full display during COVID-19. As per a new study conducted by OnePoll on behalf of Sungard Availability Services...

    Start Healthy, Stay Healthy applies to babies and technology

    For more than 80 years, one trademark has been associated with the highest customer loyalty of any consumer brand in U.S. history. Any guesses? It’s The Gerber Baby –...

    Introducing Sungard AS Serviced Workplace: Flexible access to secure infrastructure and resilient facilities

    As we emerge from the depths of this pandemic, organisations across the globe are re-evaluating the way they work. As the potential of a second-wave start to ripple across...