A guide to help Financial Institutions and Technology Service Providers achieve their business continuity objectives

By John Beattie

In April 2019, the FDIC released FIL-19-2019, a document providing financial institutions with guidance and compliance requirements for contracts with Technology Service Providers (TSPs), focused on business continuity and incident response. FDIC regulated Financial Institutions (FIs) and the TSPs they rely on to deliver mission critical services, must work together to meet these requirements to ensure business resilience. They each share the same goal of minimizing risk but have very different objectives about how to accomplish it.

As a TSP who provides business continuity consulting and technology services to many FIs and TSPs, Sungard Availability Services knows how to optimize business continuity, incident response, and third-party risk for FIs and TSPs. It’s what we do.

Below are three key steps to ensure that FIs and TSPs meet the requirements under the FDIC’s Business Continuity Planning booklet:

  1. Collaborate on a Common Set of Objectives: Each party wants to minimize their risk, but there are individual and common objectives:
    • FIs need to understand the risks being passed on to them from the third-party so they can properly manage them internally.
    • TSPs need to understand the risks of their internal capabilities and the extent to which they are comfortable committing to managing them in a contract.
    • Both parties have an interest in establishing a mutually agreeable deal and contract.
  1. Identify Next Steps and Act: It’s not enough just to recognize what you need to do – it’s critical to set a plan in place and take action. Below are some good practices that should be in place by FIs and TSPs to meet FDIC rules and regulations:

Two Parties with a Common Goal

Minimize Risks | Set Expectations | Comply with Rule & Regulations

Financial Institutions

For your business continuity and incident response control expectations:

  • Ask the relationship-relevant control questions that need to be asked during due diligence and contract negotiation.
  • Define the response and internal action options for each question – what you will do based on a TSP’s response to your control questions.
  • Craft contract language that enforces your preferred position on the controls you care most about.
Technology Service Providers

For your business continuity and incident response control capabilities:

  • Identify needed improvements to your programs, processes, and capabilities with the goal of assuring they can withstand customer scrutiny.
  • Prepare easy to read collateral and references to simplify customer verification.
  • Collaborate with your contracts department to develop language for ongoing monitoring of your customer commitments.
  1. Monitor and Assess Completed Actions with a focus on Continuous Improvement: Remaining diligent in managing organizational resilience is critical for both FIs and TSPs. There needs to be a continuous feedback mechanism in place focused on business resilience, not just adhering to the terms and condition of a contract. Specific guidance for each party includes:
    • Financial Institutions: Need to make sure they are performing adequate due diligence in addition to negotiating contractual terms, service levels and ongoing commitments. They need to trust the vendor relationship but also have a set of verifiable controls in place to monitor and measure TSP performance.
    • Technology Service Providers: Need to have confidence in the effectiveness of their business continuity and incident response programs, processes, and capabilities before making contractual commitments to their FI customers. They need to agree to provide verifiable evidence that their programs remain viable and treat the FIs they serve as true program stakeholders.

About the Author: John Beattie is a Principal in Sungard Availability Services’ Business Advisory practice. His consulting focus is on Business Continuity, Third-party Risk Management, and IT Service Risk Management. He has worked with both FIs and TSPs on their business continuity and incident response capabilities and inter-relationships.

Related Articles