Editorial content organized by topic
Sponsored content from industry partners
PRODUCT/CONTRACT ANNOUNCEMENTS
Latest offerings by category 
Articles submitted by industry partners

 
IT EXAMS Recent red flags related to vendor risk management E-mail

 

By John Ginovsky

 

Last year, in 46% of the FDIC IT examinations in which bank ratings were downgraded, inadequate vendor management was cited as a causal factor, says Donald Saxinger, senior examination specialist in FDIC's Technology Supervision Branch.

 

"I'm not saying it was the primal causal factor, but, in 46% of the downgrades, vendor management was cited," Saxinger says. He spoke during the recent ABA Telephone Briefing "Vendor management: Unlocking the value beyond regulatory compliance."

 

Saxinger says he drilled down with his colleagues to find more specific reasons this factor has emerged in troubling IT exam results.

 

"The No. 1 issue that a lot of examiners told me was the banks are not requesting copies of the exams of their service providers," he says. "We do examine service providers. It would be a very good monitoring and continued due diligence practice to see what the regulators are saying about your service providers."

 

Other related observations and suggestions gleaned from exam results include:

 

Vendor management needs to consider all service providers that hold sensitive customer information, not just IT vendors. These include loan workout consulting, appraisal review companies, outside attorneys, and others.

 

Make sure to get the proper exam reports about individual vendors. Some banks just obtain reports for the host data center, but not for the specific application that the banks were using.

 

Even the proper reports don't cover everything that a bank must consider in its security risk management efforts. For example, one service provider with an otherwise clean report did not have an internal audit program and its business continuity planning was poorly documented.

 

"When you're contracting with a vendor, you need to ask questions more than just what's in the [exam report]. What other types of audits do they have? You need a security audit. You need to comply with Gramm-Leach-Bliley. Do they have effective business continuity?" Saxinger says.

 

For information on obtain an audio copy and materials from the ABA telephone briefing, go to http://www.aba.com/Training/teleweb/Pages/tb103112.aspx.

 

About the Author

John Ginovsky is contributing editor of ABA Banking Journal and editor of the publication's TechTopics e-newsletter. For more than two decades he has written about the commercial banking industry. In particular, he's specialized in the technological side of banking and how it relates to the actual business of banking. He previously was senior editor for Community Banker magazine (which merged with ABA Banking Journal) and was a staff writer for ABA's Bankers News. You can email him at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

 

 

[This article was posted on February 20, 2013, on the website of ABA Banking Journal, www.ababj.com.]

 

 

 

http://www.ababj.com/images/stories/john_ginovsky.jpg
Set as favorite
Bookmark
Email This
Trackback(0)
Comments (0)add comment

Write comment
quote
bold
italicize
underline
strike
url
image
quote
quote
smile
wink
laugh
grin
angry
sad
shocked
cool
tongue
kiss
cry
smaller | bigger

security image
Write the displayed characters


busy
 
[ Back ]

podcast_icon30.jpg PODCASTS, WEBINARS & ROUNDTABLES
techglobe.jpg TechTopics Plus
ABA BANK DIRECTORS BRIEFING
ABA Bank Directors Briefing For the director who wants to stay on top of the job

ABA Bank Directors Briefing