The FDIC Office of Inspector General released a report on February 15, highly critical of Financial Institutions (FIs) lack "...of risk assessments or contract due diligence." The report stated in the OIGs review of Technology Service Provider (TSP) contracts with FIs, the contracts did not include critical contract provisions "to manage its own business continuity planning and incident response and reporting operations." Additionally the report cites the contracts did not sufficiently define key terms related to BCP and incident response. As a result most contracts with FIs and TSPs lack assurances the TSP "could recover and resume critical systems" and further lacked obligations of the TSP to "take appropriate steps to contain and control incidents."

The FDIC OIG Report, is a finding on the symptoms to a bigger problem.

From my perspective this is much to blame on the lack of training IT staff are given regarding contracting and risk management. Basic negotiation skills are not why we hired IT staff. Of course, the executive teams place an inordinate amount of pressure on IT staff to get it going "now!" Of course, both IT and executive management punt the contract to Legal. The Legal department, while being experts on the law, are relying on the IT department to be experts in the product/service they are buying; and Legal needs the executive team to approve the spend.

The problem? NO ONE wants to look at the problem for all three perspectives at once (albeit it is difficult to find someone with Technology, Finance and Negotiation skills).  So most FIs, under pressure from the regulators, throw "consultants" at the problem.  The problem with that tactic... the majority of consultants lack any real practical experience in all three areas (book smart vs. street smart).  If you've recently hired a consultant to help here, I imagine you have a lot of new policy and procedures to process. Do you feel like you are any better off? Or is the account a few $100k lighter.  

Over the last 20 years of my career I have fought this battle internally and externally. It's not easy. Building a good program to manage Vendor Risk and establish a full Vendor Management Program (Sourcing, Risk, Contract and Relationship) should be built into your corporate strategy (regardless of industry). Simply, as you increase your reliance on third party services, you need to increase your capabilities to properly manage those third party services.

Again, the FDIC OIG Report, is a finding on the symptoms to a bigger problem.

Did you see this article?

Director Cordray sends warning to vendors of TRID rule compliance... 10/20/2015

If not, you should really take a look.  And if you're a vendor/supplier to FIs... You really need to take a look.  In short, if the vendor isn't pulling his/her weight, FIs may be forced to stop using the service.  Do you have the correct contract clause to cover you? Or are the termination liabilities?  And to you

vendors; if the CFPB tells the FI to leave, what is your recourse? 

 Did you inherit a program, policy, procedure and you're asking yourself where to start?  (Secretly asking your-self, what the hell did I get myself into?) Are you scrambling to understand your companies eGRC platform (OpenPages, Archer, Metricstream, R-sam, etc.)? Or maybe you're just following a process that someone else put in place; you're doing it well, but have no idea why you’re doing it.

I can definitively say you are not alone. If you look at most resumes, LinkedIn profiles and talk to HR departments, people are moving from job to job on a 3 to 5 year cycle.  We're all aware the 30-years, gold watch and pension programs are long gone.  We change jobs... and maybe that's what you just did.

 And...

Now you're looking at a complex, complicated and overwhelming process. You may have a Procurement background, or you came from Legal or Contracts Management, maybe your last job was Enterprise Risk Management, or Information Security.  

So, do you know your departments Purpose, Mission and Values? What are your Initiatives? Are you being asked by Managers, Executives, and HR to create SMART Goals and establish time-lines, work toward deadlines to achieve your milestones? I’m going to assume yes.

 Let me help… Your program needs to cover Four Strategic Initiatives.  

• Vendor Relationship Management
• Vendor Risk Management
• Strategic Sourcing and Due Diligence
• Contracts Management and Administration 

Gary Norcross, President and CEO of FIS made the statement yesterday, "We believe SunGard is a perfect fit." Norcross stated big financial institutions want to deal with fewer vendors, making it an advantage to have FIS and SunGard packaged.  

What it really means is we will have a more difficult time understanding the concentration risk factors that must now be considered. Don't get me wrong, I completely understand the desire to put the eggs all in one basket. It is simply easier to bring them to market. Plus, if I want an omelet, we don't have to go far.  Oh yes... there is the old adage of having only one throat to choke when things spin out of control. 

But the fact is my relationship with large, multi-product service providers is already far more complicated.  Large service providers like FIS, Fiserv, Jack Henry, D&H, etc. are already internally silo'd like Microsoft, Oracel, Cisco are in the tech side.  So does it really feel like it's any easier to work with one vendor verses multiple vendors? 

Below is what I found on the FTC web site regarding GLBA and defining what is and is not NPI... 

NPI is:

• any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);
• any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
• any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

NPI does not include information that you have a reasonable basis to believe is lawfully made "publicly available." In other words, information is not NPI when you have taken steps to determine:

• that the information is generally made lawfully available to the public; and
• that the individual can direct that it not be made public and has not done so.

For example, while telephone numbers are listed in a public telephone directory, an individual can elect to have an unlisted number. In that case, her phone number would not be "publicly available."

Information in a list form may be NPI, depending on how the list is derived. For example, a list is not NPI if it is drawn entirely from publicly available information, such as a list of a lender's mortgage customers in a jurisdiction that requires that information to be publicly recorded. Also, it is not NPI if the list is taken from information that isn't related to your financial activities, for example, a list of individuals who respond to a newspaper ad promoting a non-financial product you sell.

But a list derived even partially from NPI is still considered NPI. For example, a creditor's list of its borrowers' names and phone numbers is NPI even if the creditor has a reasonable basis to believe that those phone numbers are publicly available, because the existence of the customer relationships between the borrowers and the creditor is NPI.

Update on Friday, July 3, 2015 at 12:36PM by Bradley Martin

Here's the link where I copied the definition... 

https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm