Pub. 5 2014 Issue 2
www.wvbankers.org 20 West Virginia Banker coverage requirements. Third party vendors that may have been reluctant to address each of these areas in the past will now be forced to negotiate on these topics so that they can be addressed in the contract. Subcontracting The area where banks gain the most leverage as a result of the OCC and Federal Reserve guidance is subcontracting. The OCC guidance provides that the parties must specify the activities that cannot be subcontracted and whether the bank prohibits the third party from subcontracting activities to certain locations or specific subcontractors. The OCC guidance also indicates that a bank should reserve the right to terminate the contract without penalty if the subcontractor does not comply with the terms of the contract. The Federal Reserve guidance provides that if con- tracts allow for subcontracting, the same contractual provisions in the agreement with the third party should apply to the subcon- tractor. Contract provisions should clearly state that the primary service provider has overall accountability for all services that the service provider and its subcontractors provide. The contract should address the service provider's due diligence process for engaging and monitoring subcontractors, and the notification and approval requirements regarding changes to the service provider's subcontractors. The Federal Reserve cautions banks to pay special attention to any foreign subcontractors, as information security and data privacy standards may be different in other jurisdictions. The Federal Reserve guidance also recommends that contracts include the service provider's process for assessing the subcontrac- tor's financial condition to fulfill contractual obligations. Responsibilities for Providing, Receiving, and Retaining Information Under the OCC guidance, a bank must ensure that the contract requires the third party to provide and retain timely, accurate, and comprehensive information such as records and reports that allow bank management to monitor performance, service levels, and risks. The contract also should stipulate the frequency and type of reports required, for example, performance reports, control au- dits, financial statements, security reports, BSA/AML and Office of Foreign Asset Control (OFAC) compliance responsibilities and reports for monitoring potential suspicious activity, reports for monitoring customer complaint activity, and business resumption testing reports. In addition to the specific types of reports, the bank must ensure that the contract addresses the following: failures to adhere to the contract and notification of financial difficulty, catastrophic events, data loss, service or systems interruptions, significant changes to the vendor’s systems or key personnel, significant business changes, the ability of the third party to resell, assign or permit access to the bank’s data and systems to other entities. The Right to Audit and Require Remediation The OCC guidance states that the contract should ensure that the bank has a right to audit, monitor performance, and require remediation when issues are identified. The OCC recommends that the bank reserve the right to conduct its own audits of the third party’s activities or to engage an independent party to per- form such audits. Audit reports also should include a review of the third party’s risk management and internal control environ- ment as it relates to the activities involved and of the third party’s information security program and disaster recovery and business continuity plans. Responsibility for Compliance with Applicable Laws and Regulations The OCC and Federal Reserve guidance require that the contract address compliance with the specific laws, regulations, and regu- latory guidance and provide the bank with the right to monitor on an ongoing basis the third party’s compliance with these laws. Banks will now be able to contractually require third party vendors to comply with certain provisions of the Gramm-Leach- Bliley Act (GLBA), including the privacy and safeguarding of Vendor Management — continued from page 19
Made with FlippingBook
RkJQdWJsaXNoZXIy OTM0Njg2