FDIC on Vendor Management
Interview with Donald Saxinger on Emerging Technologies and TrendsIn an interview on vendor management, Donald Saxinger, senior examination specialist with the FDIC, discusses:
- What banks need to know about cloud computing;
- The impact of social media;
- How institutions can self-test their practices in advance of an official examination.
Saxinger is the team leader and subject expert for the FDIC's Division of Supervision and Consumer Protection in the area of regulatory IT examinations. He serves as the lead developer of the FDIC's IT examination standards and procedures, IT examiner education, and IT examination oversight. He has authored or contributed to various regulatory policies such as third-party risk and outsourcing, business continuity, payment systems, authentication, identity theft, spyware, and other emerging technologies. He is also a member of the FFIEC IT Examination Handbook working group which publishes the interagency guidance and examination procedures for various IT, payment, and operational risk areas.
Cloud Computing
TOM FIELD: So, we talked about vendor management about two years ago, when you worked with us on a webinar. Since then, the vendor management guidance hasn't changed, necessarily, but the technology landscape has. What are the current trends that most concern you in the FDIC?SAXINGER: Well, you know, we wrote the guidance on vendor management to be governance-based, and we tried to not focus it on specific technology, so that when new technologies come down, you can use the existing guidance. You certainly don't need your regulator running around and chasing after every new piece of technology that comes out. But, there are some trends that we are seeing that people are asking about, "How do we do this?" And quite often, the regulators will respond that the existing guidance is appropriate.
So, for example, you know, we get questions on cloud computing, social media or mobile banking, or, you know, any of these new technologies, and they ask, "Well, can we do this?" And our response is, "Well, what does the existing vendor management guidance say? If you can fit it within that, then you can use that technology or service, and just follow the existing guidance."
So, as I mentioned, there are some new technologies. I don't want to call them new technologies, but banks are starting to wonder about using them.
You mentioned cloud computing. That's a big buzz word a lot lately, and a question I get is "Can we do cloud computing?" And, so the first thing I look at is, well, what does the existing guidance say? And it says you should have a proper due diligence or successment, you know, contract issues, in monitoring. So, let's go back to the guidance that the agencies, all the agencies wrote on outsourcing technology services, and particularly around the contract issues, there are certain requirements that banks, financial institutions, need to insure when they are outsourcing their banking function. In particular, they have to look at the confidentiality of customer information, they have to look at the business continuity or the availability of the service, if it is critical. They have to look at the integrity of the data as it is processed, regulatory access, they need to be able to get their data back, if there is a problem with the service provider or contract ownership of the data, and all of these things are covered in contract terms. We call them service level agreements. What are the specific terms of the contract that the bank should monitor? And that has been working well with a lot of these established service providers that are out there.
And now we are moving into more of a consumer or commodity type of market, with lots of new services out there, and we are just wondering, can we do them? Well, let's look, for a moment, at what types of contracts are available? So, for example, cloud computing. What is the benefit, or the driver, of cloud computing? A lot of people tell me it's the cost. The cost is the issue. It is being offered at a lower cost. And what are they offering? Well, I'm not going to get into all of the different products that are out there, but in cloud computing, they break it up into three categories. You know, applications as a service, platform as a service, things like that. These are all types of services that the banks are currently using, or types of things that the banks are currently doing that they have contracts for. But now we are moving into where these third parties are developing more of a consumer pricing model, I will call it, where we can get some of these services at lower cost, but what are we losing in return. And one of the things that I see, right off the bat, is the contract terms. There are fewer service level agreements that are out there that protect the customer, or in this case the bank.
One easy example that I go with is telecommunications. If we recall back when we were all using T1 lines, what was the average cost for a T1 line at a bank? You know, hundreds of dollars per month. But, what did they get for that? They got a guaranteed service, a guaranteed amount of bandwidth per month, a guaranteed amount of up time, and that was in the contract, and that's what they paid for. And now, consumers are getting the same level of bandwidth with their broadband types of connections at ridiculously low prices, at least compared to those T1 prices. And what has changed? Well, the service level agreement has changed. And so, now with broadband, you will be guaranteed up to a certain amount of bandwidth. Well, that's not really the same type of service level agreement that we had in banks. In banks, we had, "You get this amount, or there are certain penalties." So, now we are starting to see the same thing in other areas. We can move to a cheaper model, but there are going to be tradeoffs, as far as the amount of service level. And that is the part that the banks need to be aware of.
Social Media
FIELD: Well, Don, that's really helpful, and cloud computing absolutely is something I wanted to ask you about. And there are a few other challenges I want to talk with you about, as well. The first would be social media. Are social networking sites considered vendors?SAXINGER: I don't know. That's a good question. I guess it depends on how you're using it. And one of the things we look at is "What is a vendor?" That is actually a deeper question than it would seem on the surface, one that would involve lawyers and compliance examiners and things like that. And why do we care about this, as a regulator or as a vendor? Well, we have certain guidance that is out there, particularly under the Bank Service Company Act, that any financial institution that contracts for services must notify their regulator, and that same regulation is also what gives us, as a regulator, a certain amount of authority to go and review some of those service providers. And so, why do you need to know if it is a vendor? Well, because you have a regulatory requirement to report it. Now, when this regulation was written, I think it was, like, 1961 or 1962, the idea of what all future technologies that are out there wasn't well known. So, we are constantly looking at, and we're seeing new technologies that we occasionally say, "Hey, that's a service for the bank." Which ones should the banks report? Well, consider if it is a banking function, anything that you would do as a bank, and if you can outsource it, and you do, then you probably should be notifying your regulator. And, you know, you can check with your regulator. Each one has certain forms that you can send in, and things like that.
Now, social media is sort of interesting, because we haven't written specific guidance on it, and banks ask us, "Can we do social media? What are the regulators going to say?" And so far, we've been saying "The existing guidance seems to work pretty well, particularly on vendor management." We have, of course, security and privacy rules. But, what are some of the specific issues with social media that I am seeing, related to vendor management? Well, first of all, if you were to outsource any banking function, it normally would go through some sort of process committee. You would look at the risks, the costs the benefits, and all of that, and then some sort of committee would make a technology and business strategy decision if we are going to outsource it. Social media, just like cloud computing, in fact a lot of times, these are interchangeable, because social media use cloud computing technology. Social media wasn't really designed for the enterprise. Just look at the first step, the contract, the signup process. You sign up with a user name and a password. Well, in an enterprise, how do you have a department manage this service if there is only one password? Which employees are going to have that password? Are they going to share it? Are they all going to take it home? What are the terms of the social media contract that they have given you? They are certainly not in favor of a commercial enterprise, like a bank. In fact, I think their contracts, or at least their terms of service, or their privacy agreements, and all that, they can sort of change at will, the provider. So, it's hard to say that you're going to be able to meet specific vendor management requirements with some of the social media providers.
It's not to say that we're saying "You can't do social media," it's just that, depending on what you're using it for, it may or may not meet some of our requirements under vendor management. Let's look at one of the requirements for insuring that your vendor has the same level of security for customer information that the bank would have. That is a requirement under Gramm-Leach-Bliley. How do you insure that with social media? So, that is a risk. And, the other problem is that, because some of these technologies, like social media or cloud computing, they don't require any technology or any infrastructure to be implemented in your institution, which means that it can bypass these committees that you might have established for insuring that you've done the cost benefit analysis and the risk assessment. In fact, you could have, you know, even maybe one of your interns signing the bank up for one of these, and you won't even know it, so that's a risk area. So, even if you decide not to go into these areas, you may have to consider governance, some sort of policies within your institution about what are the appropriate practices and rules in our institutions with regard to these types of services?
Emerging Technologies, Services
FIELD: Well, you've got me thinking, Don, about so many emerging services that banks are getting into these days, cloud computing, social media, mobile banking, certainly, P2P payments. And the question arises, and I think you mentioned it, which types of these services do banks need to be up front about reporting to their regulators?SAXINGER: Okay. Well, we do have the specific rule under the bank service company act, and I mentioned each regulator implemented a regulation for that. We are not always so sure ourselves, to be quite honest. We have to go to our legal department, and say, "Hey, there is this new technology out there. Is it one of these services?" But, in general, I would look at it from a banking function perspective. If this is a function of the bank, where somebody is performing some service for you that is a banking function or a decision-making function, including your operations and your technology and you have outsourced it, then yes, that would be a technology service that is reportable. And, the general idea behind that, and there are attorneys who can tell you all the legal requirements, but the general idea is that the regulator has unfettered access to the bank's operations, books and records, and just because you outsource some function somewhere should not hinder us from having access to those same operations books and records. And likewise, as we put out in some of our policies on third party risk, just because the financial institution outsources it, the institution is still subject to the same requirements for administering all those functions. So, if it is outsourced, the bank is just as responsible for the risk management of those functions. And that is why we require it to be notification.
FIELD: Don, let me make sure I'm clear on this. What is the specific distinction between outsourcing what you call "business function" versus outsourcing an IT function?
SAXINGER: Okay. Well, I don't know if we distinguish between them for regulatory purposes, but we do look at both aspects with respect to how we, as a regulator, are concerned about the system at risk. I mention there are certain service providers out there that we might want to go and examine. Now, there are an infinite number of service providers now, with the technology changing and things that banks are using, and we don't have the resources to go to everyone out there, and so we are looking at those types of service providers that may pose systemic risk to the banking industry. And one way that we can better manage our resources is to do a risk assessment of those service providers that are notified to us. And there are two areas that we look at. We look at the business process, and then we look at the underlying technology, and we rank those separately. So, we consider them both on our same risk ranking process. So, business function, IT processing, they sort of go hand in hand. In fact, we look at IT as simply one of the layers to support a business process. It is the lower layers, the technology layers, but every technology layer has an application on top of it, and every application has a user or an employee that utilizes that technology, and every employee is governed by policies within the institution and the policies are derived from their business strategy. So, we look at it from a holistic enterprise approach. So, technology is just one part of it. We start with the business process, and then we move down to technology.
Future Guidance?
FIELD: Don, an educated guess: Where do you think that banks might expect future guidance in vendor management?SAXINGER: Well, I don't like to speculate on guidance in the future. I really don't know. I thought we wrote our guidance broad enough to cover most of these. But we are getting lots of requests for more guidance. I mentioned, like, social media and cloud computing. Usually, when these requests come in, it's because they are looking for more specific rules on can we do this, or can we do that. I don't know if we're going to write on that, because we took a risk-based approach, and that requires a little bit more work on the end, on the part of the examiner and on the part of the bank, to make the determinations. So, when they ask us, again, for more guidance, I sometimes wonder are they questioning whether or not the guidance that we issued does not apply, or is it completely different? And what you end up with, when we do that kind of guidance is repetitive guidance, or guidance that reminds you, yes, this technology is covered by all of these existing guidance, whether it is IT vendor management guidance, or like, in social media, there's lots of compliance types of rules out there for dealing with consumers, you know, like Regulation E, marketing disclosures, and things like that. the guidance isn't going to change specific to a technology and that is what people need to realize.
FIELD: That's a good point. Don, a final question for you. In the absence of any additional guidance, and in light of the emphasis that the FDIC, in particular, has put on vendor management for the past few years, what advice do you offer to banks to ensure that they are continuing to practice proper vendor management?
SAXINGER: Well, to ensure proper vendor management guidance, I'm going to speak as a regulator, you know, we do this sort of examination. One of the things that we published are the examination guidelines that we used. And, all of those guidelines are available either on the FDIC's website, or the FFIC's website, and I strongly recommend that you use that as a self-assessment. At the beginning of, or just before every exam that the FDIC does, we send out an officer's questionnaire, and on that questionnaire is an entire section on vendor management. Why wait for that questionnaire to come in to answer it? Why not go download it right now, and see if you can effectively answer those questions? That's your self-assessment. And, likewise with the FFIC guidance. There is the FFIC handbooks on the FFIC's website. The IT exam ... IT examination handbooks have various items that cover vendor management. For example, the outsourcing handbook is an important one. There is also some discussion in the management handbook. You might want to be familiar with the IT rating system that we use, which covers outsourcing risks. And that is the whole point, from the regulatory perspective, is we are trying to determine how well the institution is managing its risks. And third party and outsourcing risks is one of those categories. And if you are not managing it well, your risk rating is going to end up with a poorer rating. If you are managing it well, you get a better rating. And that is our role, as the regulator. So, go back and look at what our guidelines are on that, because we are using them, so I would suggest strongly that the institutions use them.